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1. Introduction 


Welcome to the Cellebrite Reader. The Cellebrite Reader enables you to open reports, 
perform your own search and analysis on the analyzed information, and perform actions such 
as generate reports, create entity bookmarks, and more. 


The Cellebrite Reader is an application that reads .ufdr files, the report files generated from 
analyzed data of a physical, file system, or logical extraction by Physical Analyzer and Logical 
Analyzer. You can also view UFED Cloud extraction reports in the Cellebrite Reader. 


The Cellebrite Reader is available to everyone, and is typically distributed by users of 
Physical Analyzer and Logical Analyzer. No installation or licensing is required. 


2. Getting started 


This section includes the following: 


Acquiring Cellebrite Reader (below) 

Opening Cellebrite Reader (on the next page) 
Opening a file for analysis (on page 14) 
Opening an encrypted zip file [on page 14) 
Saving a project session [on page 16) 
Loading a project session (on page 19) 
Closing Cellebrite Reader [on page 19) 


Keyboard shortcuts [on page 19) 


2.1. Acquiring Cellebrite Reader 


You can acquire Cellebrite Reader in the following ways: 
» Through the Physical Analyzer installation 
» Through the Logical Analyzer installation 


» When generating a UFDR file in Physical/Logical Analyzer, select the Include Reader 
check box. 


» Download from MyCellebrite 
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2.1.1. System requirements 


Windows compatible PC with Intel 15 or compatible 


Operating Microsoft Windows 10, 64-bit 
System Microsoft Windows 8.x, 64-bit 


Memory (RAM) | 16GB 


Space 
requirements 


120 MB of free disk space for installation 


Microsoft .Net version 4.6.2 
Windows Media Player (default version for installed OS or higher] to 
use the Capture tool and play video playback. 


Additional 
Requirements 


If you intend to activate the application using a hardware license key 
Permissions (dongle) provided by Cellebrite, you must have administrative rights 
over the computer. 


2.2. Opening Cellebrite Reader 


The Cellebrite Reader does not require installation; you can save and open the application 
from any computer or USB drive. 


1. Save the UFEDReader.exe file to the desired location. 
2. Double-click UFEDReader.exe. 


Cellebrite Reader opens. 


Cellebrite Reader 7.34.0.37 


© AdvancedLogical_2020-... i Welcome x 


Welcome to Cellebrite Reader 


Recent files 


Advance: dLogical_2020-03-18_Report 


If you have not activated Reader previously, the Reader Activation Window 


appears, see Activating Cellebrite Reader [on the facing page). 
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2.3. Activating Cellebrite Reader 


Activate Cellebrite Reader to benefit from exclusive features and enrichment capabilities, 
such as converting Wi-Fi (BSSID] and cell tower identities into physical locations. 


To activate Cellebrite Reader: 


1. When Cellebrite Reader starts for the first time or it has not yet been activated, the 
Reader Activation window appears: 


[E Reader Activation 


READER ACTIVATION 


Iam a new user I have an activation code 


By activating your Reader you will benefit from exclusive 
features and enrichment capabilities, such as converting Wi-Fi 
(BSSID) and cell tower identifiers into physical locations. 


Get activation code will take you to register at My Cellebrite portal 


Activate later + | Get activation code 


2. Under | am a new user, click Get activation code. 


If you do not have an Internet connection, you will need to complete this 


step on another computer with an Internet connection. 


The following window appears. 


soe 
se Cellebrite cfr 
New user Restore my activation key 


REGISTER READER 


First name * 


Last name * 


ob role * 


Agency/Company/Organization * 


Country * 


3. Complete the mandatory registration information, select the i'm not a robot and the 
Terms of Use and Privacy policy check boxes. Then click Send me the activation key. The 


following window appears. 


Thank you for registering your product 


Your registration has completed successfully! 
In Reader, enter the activation key sent to you by email 


4. Check your email for the activation code. 
5. In the Activation window , click I have an activation code, and then enter the email address 
you used to register and the activation code. 
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READER ACTIVATION 


lam a new user I have an activation code 


Enter your email 


Exampleé 


mple.com 


Enter your code 


8 digits 


Forgot your code? 


6. Click Activate now. The following window appears. 


© ACTIVATION SUCCESSFUL 


Reader is now activated. 


7. Click OK. 


To restore your activation code: 


1. In the Reader Activation window, click the Forgot your code link. The following window 
appears. 


i: Cellebrite onus: 


New user Restore my activation key 


ENTER YOUR EMAIL ADDRESS TO RECEIVE YOUR ACTIVATION KEY 


Email address * 


| Enter email address | 


Confirm your email address * 


| Enter email address | 


Send me my activation key 


2. Enter your email address that you used when you registered (or click New user to create a 
new user). 


3. Click Send me my activation key. A confirmation email with your new activation key will be 
sent. 


4. Check your email for your activation key. 


2.4. Opening a file for analysis 


The Cellebrite Reader can open UFDR files. 
1. Do one of the following: 
» Click File > Open UFDR file. 
>» In the Welcome tab, click Open. 
2. Browse to the location of the file, and select it. 


3. Click Open. 


The data analysis process begins and runs for several seconds. At the end of the process, 
the new project is added and the Extraction summary appears in the data display area. 


2.5. Opening an encrypted zip file 


Cellebrite Reader can open encrypted zip files created by Cellebrite Responder. The zip file 
can contain HTML, PDF and UFDR report files. Only the UFDR file can be opened. To open an 
encrypted zip file, you need to enter the password. 
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To open an encrypted zip file: 


1. Open the extraction in Cellebrite Reader. The following window appears. 


The extraction zip file contains the following reports: 
report.html 

report.pdf 

reportufdr 


The reports will be saved to the My Reports folder: 
\\ptnas1\Home Dirs\jonathank\Documents\My Reports 


[¥] Open the report.ufdr. Note: This process takes time to complete. 


The window indicates where the report files will be saved. 


2. To open the report.ufdr file, select the Open the report.ufdr check box. 


Click Continue to save the report files to the location indicated. The following window 
appears. 


The file is password encrypted. Enter the password to open ther file. 


You can change the location under Settings > Report Defaults > Default 
folder. 


4. Click OK. 


2.6. Saving a project session 


Save the project session to save your work on the project, enabling you to close Cellebrite 
Reader and restart your session at a later time. 


The saved session file {.pas) includes: 


» User selection in the Analyzed Data and Data Files tables 
» Case Information settings 
» Generated reports 

» Location address 

» Opened tabs 

» Project name 

» Project settings 

» Report selection 

» Searches 

» Tags 

» Translations 

» Unified time zone settings 
» User sorting in data tables 
» Verifying hash values 

» Watch list results 


A project session can also be created for extractions performed by third party tools. 


Saved project sessions do not contain defined settings. For more information on how to save 


your settings, see Saving settings [on page 104). 


To save a project session: 


1. In the File menu, select Save project session. The Save As dialog box appears. 
2. Browse to the location where you want to save the project session file. 
3. To change the file name, edit the automatically assigned name in the File name box. 


To overwrite an earlier session, choose the same file name. 


4. Click Save. 
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2.7. Adding external files 


If required, you can include related artifacts in your case. These are external files such as 
search warrants, additional images and relevant documents. These files will be added to the 
project tree, under Additional files and can be included in reports. 

To add external files to the report: 

1. Click Add external files in the Extraction Summary. 


or 


Click E next to the project and select Add external file. 


2. Select the file. The following window appears. 


B® Additional files - a x 


Add external files such as search warrants, additional images and relevant documents to your case. 
These files will be added to the project tree, under “Additional files" and can be included in reports. 


File name Category 


Agency form 


‘Agency form 


Enter a name for the file. 
Enter or select a category. 


If required enter any notes. 


For images, you can use the drawing tool on the left to draw text, add 
shapes, crop, resize, rotate, and flip the image. You can also copy the 


image to the Clipboard. 


6. Click Add to project and select the project. The file is located in Reports > Additional files 
> External files. 
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AdvancedLogical_2020-03-1...° i Welcome O Timeline (78) @ Extraction Summary (1) x 
All Content Advanced Logical 
Reports 
~ & Additional files (1) Extraction Summary 
~ E) External files (1) 
E) No category (1) X Extractions: 1 


Advanced Logical 


3/18/2020 11:17:56 AM +02:00 


3/18/2020 11:20:36 AM +02:00 


- Advanced Logical “” 
Samsung GSM GT-i9205 Samsung Galax. 
CAUsers\Shoshanahs\Desktop\2020-03- 


7. Open the files from here and select or clear the check box to include or exclude files from 
the report. 


UFED CLOUD induded 


Welcome Learn more © Extraction Summary (1) @ No category (2) x 


» 


Export ¥ Filters ¥ Actions ¥ Q 


T Name v Note ” Path v Size (byte Metadata v Created 


Consent form.docx ScreenCapture/Consent form.docx 11780 5/7/2020 10:28:2- 


8. When generating a report select the Additional Files check box. 


General Report Dataset - Samsung GSM_GT-i9205 Samsung Galaxy Mega 6.3 
= E] Time range filter 
t 
C Only events between these dates 
Samsung GSM_GT-i9... From: = To: = 
| ] E Apply 
Security 
- CO Include items without a timestamp 
Formatting 
© Data types 
Table Sorting [m] Select/Deselect All Enter text to filter x 
i Additional File: arch Warrant (1/2) | Images (4393/4393) 
UFDR (For Cellebrite R..  “irappiications 2857/2857) [Z] Installed Applications (455/455) 
Iv] Archives (291/291) Y] Locations (1295/1295) 
PDF Report V] Audio (164/164) Y| Passwords (117/117) 
WV] Autofill (1/1) V] Searched Items (43/43) 
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2.8. Loading a project session 


1 
2 
2: 
4 


From the Welcome tab, open the project that you want to work in. 


In the File menu, select Load project session. 


In the Open dialog box, browse to and select the project session file that you want to open. 


Click Open. The session opens. 


2.9. Closing Cellebrite Reader 


>» Inthe File menu, select Exit. 


2.10. Keyboard shortcuts 


Ctrl+B 


Ctrl+End 


Ctrl+Home 


Ctrl+0 


Ctrl+P 


Ctrl+R 


Ctri+T 


Space 


Ctrl+Fé 


Add an entity bookmark 

Move the cursor to the end of a table 
Move the cursor to the beginning of a table 
Open a UFDR file 

Open project settings 

Open the report wizard 

Open settings 

Switch between open tabs 

Close a project 

Open the product documentation 
Select or clear check boxes 


Redact images or videos 


3. Orientation to the workspace 


The workspace contains two main areas; the project tree and the data display area to 
streamline your workflow. 


The workspace contains the following components: 
1. Application menu bar 

2. All projects search 

3. Navigation menu 
4. 


Data display area 


3.1. Navigation menu 


Navigate the Cellebrite Reader application views from the following navigation menu items: 
» Home 

» Timeline 

» Analyzed data 

» File Systems 

» Insights 

» Tags 

» Reports 


3.1.1. Home 


The Home view displays the Extraction summary. See Extraction summary tab [on page 364). 
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Welcome = @ Extraction Summary (1) x 


All Content Physical 


Extraction Summary pee Ad eter he O Projet eng TEN 


© Extractions: 1 


3.1.2. Timeline 


Timeline view is a powerful tool that enables you to analyze data in chronological order, to 
identify the order of events and make connections between them. 


cer A219 


IAE Samsung coma sm-G9..- Welcome = O Extraction Summary (1) < @ Timeline (160) x 


BO b =v GX KG A)O we + TTimestame + Pany Sewee 7 |, Sweet nf 


2 g Instant Messages 1/5/2016 B2538 AMIUTC=+0) From hh fe romana 


ative Messages 
0 ne 


Soa 


BBS 


ao 


Baa 


aa 


Filtering and sorting the timeline table 


The timeline has many advanced filtering and sorting options to drill down to specific data 
and display them according to the users needs. 


Filter by Type, Timestamp, Party, Description, Source, Source file information, and 
Extraction. 


To filter the timeline: 


1. Click the dropdown icon in a column heading. 
2. Select the filter options 
3. Click Ok. 
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To clear applied filters, click Clear filters. 


Sorting the timeline table 


Sort the timeline table by Type, Time stamp, or Extraction. 


1. Click the dropdown icon in a column heading. 
2. Select either: 

» Sort ascending 

» Sort descending 


The graphical timebar 


The graphical timebar allows you to zoom-in to the timeframe in question as well as analyze 
multiple timestamps of events. 


To select a specific timeframe in the graphical timebar: 


1. Click and drag on the time bar to select a timeframe. 
2. Click Apply. 


The table is updated to reflect the selected timeframe. 
To apply fields to the graphical timebar: 


1. Click (=) to open the fields selection window. 
2. Select the required fields. 
3. Click Apply. 
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To zoom in the graphical timebar click +) To zoom out, click Z. 


To clear timebar settings, click Clear. 


Tagging items on the timeline 


Tag timeline items for easier data management. 


|E cette Reser 7440277 


© AdvancedLogical 2020....- © Extraction Summary ( = @ Timeline (78) x 


= = * $ SMS Message Gow ~ 
(O) e + 
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To add a tag to timeline items: 

1. Select one or more row in the timeline table. 
2. Click ©”. 

3. Select Tag. 

4. Select the required tags. 


Clear All Manage tags 


(a) Case tags 


@ C Evidence (F6) 
® O Important (F7) 
[] O Pending (F8) 
® O Completed (F9) 


Description (optional) 


5. Click OK. 


The Tags column is updated with the selected tabs. 
To manage tags: 


1. Click Y7, 

2. Select Manage tags . 

3. Inthe Manage tags window you can: 
» Search tags. 
» Rename existing tags. 


~~ 


> Delete tags. 
» Define tag color. 
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» Define tag hotkey. 

» Create a new tag by clicking New tag. 

» Import and Export list of tag labels. 
4. Click Ok. 


Define your tags names, colors and hotkeys 


Search tags Q 
a Global tags $ Import £ Export New tag 
Evidence v0 Sa ” F6 
Impotant 0 Em- F 
Pending 0 =z X F8 
Complete 0 Sa bd F9 


v Project VIC categories 
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Managing timeline settings 


1. Click Timeline settings 


2. Select required settings. 
3. Click Ok. 


@ Settings - x 


Data files display in timeline 


or Timestamp fields 


C show alt 
General Settings C Created $ Captured C) Modified C) Accessed [C Deleted C Changed 
Data files type 
E Show all 
B E image BM Audio @ Video 
Data Files 
Activities 
QO C Show activities 
3 C show device events 
Timeline 
AppGenie 


(3?) G Show events in timeline 


Interface 


Fe 


Additional Report Fields 


[e 


Report Defaults 


ee ae 


3.1.3. Analyzed data 


The Analyzed Data view displays a tree with groups of analyzed data that are related to 
device-specific features such as contacts, SMS messages, call logs, and so on. 
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AdvancedLogical_2020-03-1...° į © Extraction Summary (1) 


aly 


Analyzed Data 


% Calls (8) 
© Call Log (8) 
® Contacts (105) 


®© Phone (105) 


9 Location Related (1) 


v Ọ Device Locations (1) 


9 Locations (1) 


Media (317) 0 
d Audio (25) 
B images (276) J 
> Videos (16) 
@ Messages (31) 
o 4 
v @& SMS Messages (31) 
v 
G Phone (31) a % > 
o 6 


The available information and what is displayed depends on the device features and 
application version. For example, SMS messages are sorted according to the folders used by 
the messaging feature of the device, such as Drafts, Inbox, Outbox, Sent, and so on. Email 
messages are sorted according to the account through which they were sent or received. An 
uncategorized account or messages folder lists the folders or messages that cannot be 
categorized in any of the found accounts or account folders (Inbox, Outbox, Drafts, and so 
on). 


The following information types is displayed in the Analyzed data tree: 


Analyzed Data 

» Personal information - Calendar, contacts, notes, call log, user dictionaries, user 
accounts. 

» Messaging items - SMS, MMS, email, instant messages, chat. 

» Web browser items - Bookmarks, history, cookies. 

» Media items - Audio, images, and videos. 
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» GPS information - Locations [including from video files, metadata, and SQLite databases], 
journeys, fixes. For more information on geolocations. 


» Device information - Bluetooth pairings, wireless networks, SIM data, application usage, 
Wi-Fi, cellular locations. 


The number in parenthesis designates the number of items each category contains. 


Selecting any analyzed data category automatically adds it to the highlights list of the 
displayed binary image and/or memory range it belongs to [located at the bottom of the Hex 
view tab], and highlights its data range portions in the displayed data. 


Data files 


The Data Files tree item sorts the extracted data into common formats, used by devices and 
computers, such as text or document files. 


ile esoeeeeeeeee 


In the project tree, the information is displayed in the following categories: 


» Applications - Files that were recognized as application files [such as .apk, .jar, .dex, .so, 
exe] 

» Archives - Files that were recognized as archive or compressed files (such as .zip, .zipx, 
tar, tar, .gzip, .7zip, .7z, .dar, .gz, arj) 

» Configurations - Device configuration files {such as iOS plist files) 

» Databases - Data structures that were recognized as databases 

» Documents - Files that were recognized as document file formats (such as .doc, .docx, 
pdf; xlsx, ppt). 

» Shortcuts - 

» Text - Files that were recognized as text file formats 

» Uncategorized - All unknown file formats or undefined file extensions. 


Deleted items are indicated in red. 
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Double clicking on a tree item opens a tab in the data display area. 


Expand or collapse tree items by clicking Banc selecting Expand all or 


Collapse all. 


3.1.4. File systems 


The File systems view displays a tree with the following data: 


» Memory images - Double-click an image item to display it in a Hex View tab in the data 
display area. 


The Memory Images - tree item lists all the extraction files generated from the memory 
modules of the device. 


» Memory Ranges - lists the analyzed memory ranges for each of the extracted memory 
modules of the device [listed under Images). 


Select a memory range to: 
» Highlight the memory range portion in the displayed data 


» Add it to the highlights list of the displayed binary image it belongs to [located at the 
bottom of the Hex view tab). 


Double-click a memory range item to display its content in a new Hex view tab. 


» File systems - file systems found or reconstructed out of the analyzed binary file. 
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AdvancedLogical_2020-03-1... ~ 


File Systems 


~“ R File Systems 
v & Media (317 files, 251,990 KB) 
v © Phone (317 files, 251,990 KB) 
> © Android (179 files, 4,479 KB) 


1 > DCIM (45 files, 136,132 KB) 


-O 
File Systems 


> FaceApp (2 files, 1,933 KB) 
Movies (14 files, 54,640 KB) 
Music (8 files, 1,468 KB) 
Notifications (2 files, 21 KB) 
Pictures (50 files, 46,619 KB) 
Ringtones (10 files, 329 KB) 
Samsung (1 file, 2,639 KB) 
zedge (4 files, 1,708 KB) 


katcheme1610.jpg 


SGaaecoccovoccaoeaea 


pwbg.jpg 


The File Systems tree displays all the file systems found or reconstructed out of the analyzed 
binary file. 


Each file system is marked with (hard drive icon). Deleted files are marked with (red cross 
icon). 


Double-click any file system item to display its content in a new Hex view tab. 


Double clicking on a tree item opens a tab in the data display area. 


Expand or collapse tree items by clicking Ban selecting Expand all or 
Collapse all. 


3.1.5. Insights 


The Insights view displays a tree with the following information: 
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» Watch lists - Watch lists are lists of keywords that you create and then use to search and 
identify events and items of interest in the extracted data. 
» Expand Watch Lists to view a list of watch lists that have been run in the current 
session. 
» Double-click on Watch Lists to view the highlighted entity based on the watch lists. 
» Hash sets 
» Malware scanner - Run the malware scanner to identify malware on the device. 


Double clicking on a tree item opens a tab In the data display area. 


Expand or collapse tree items by clicking Bn eo E panaan 


Collapse all. 


3.1.6. Tags 


The Tags view displays a tree with defined project tags. 


Double click on a tag in the tree to open a tab with details in the data display area 


@ 


AdvancedLogical_2020-03-1... * 
Tags 


“Y  ® >= Tags (2) 
Evidence (1) 


Important (1) 


Pending (1) 
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Double clicking on a tree item opens a tab In the data display area. 


Expand or collapse tree items by clicking H- selecting Expand all or 


Collapse all. 


3.1.7. Reports 


The Reports view displays a list of generated reports. See Generating a report [on page 79). 


1. Double Click ona report to open. The report opens in the application associated with the 


report format. 


AdvancedLogical_2020-03-1... 7 


Reports 


+D AdvancedLogical_2020-03-18 Report_204 
v ® Additional files (1) 
v & External files (1) 


E) No category (1) 


3.1.8. Managing project actions 


The project menu allows you to perform the following actions: 
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» Add external file 

» Rename 

» Select items for report 

» Unselect items for report 
» Close 


Procedure: 


1. Click the menu icon next to the project name. 


2. Select the required menu item. 


eS O Extraction Summary (1) 


$) Add external file 
Q |v 


J Rename 


Analyzed Data Select items for report 


Unselect items for report 


\ Calls (8) 


Close 


© Call Log (8) 
® Contacts (105) H 
@ Phone (105) =a 
9 Location Related (1) 
© 


v Ọ Device Locations (1) 


9 Locations (1) 


3.1.9. Viewing extraction data from multiple projects 


When there are multiple projects open in Cellebrite Reader, it is possible to switch between 


projects to view the data. 
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1. Click the dropdown icon next to the project name. 


2. Select a project. 


The view displays the extraction data for the selected project. 


eee O Extraction Summary (1) 


© AdvancedLogical_2020-03-18 Report 


© AdvancedLogical_2020-03-18_Report #2 


Allalyzeu Udta 


Calls (8) 
Contacts (105) 
Location Related (1) 


Media (317) 


Messages (31) 


3.2. Data display area 


Double-click an item to display it in a tab. A new tab is opened for each item. There are 
three tab types: 


» Welcome tab 
» Extraction Summary tab 
» Data tabs, with sub-tabs that present a particular view, depending on the data 


The data display area also displays additional windows such as the Trace window and 
Timeline view. 
To close a tab 
» Do one of the following: 
» Click on the tab header. 
» Click Xat the top right of the data display area. 
To jump to a specific tab 


» At the top right of the data display area, click ~, and select the desired tab from the open 
tabs list. 
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3.2.1. Welcome tab 


The Welcome tab is automatically displayed in the data display area when the application 
starts and displays a list of recently opened files. 


Cellebrite Reader 7.40,19.163 dev 


iy © Samsung CDMA_SM-G9...- | Welcome x © Extraction Summary (1) 


Welcome to Cellebrite Reader 


Recent files 


Samsung CDMA_SM-G930R4 Galaxy S7_2020-11-11_Report 


Each file in the list is displayed as a framed information group that contains the following 
items: 


» Device picture - A thumbnail image of the device from the application resources, if 
available. When unavailable, a general placeholder image is used. 

» File name - The name of the opened file, without the file extension. 

» File path - The file system path to the file location. 


» Device model - The identified device manufacturer and model, or BINARY if the opened 
file was a binary extraction. 


» Date and time - The date and time stamp in which the file was last opened. 
>» Browse link - A direct link to the file in the system. 


To remove a recent item from the Welcome tab, click * 


You can do the following: 


» Click ona framed item to open the files for decoding. 
» Click Browse to go directly to the file associated with it in the file system. 
» Close the Welcome tab. To reopen it, go to View > Welcome Screen. 
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3.2.2. Extraction summary tab 


The Extraction Summary tab is displayed automatically whenever you open a new extraction 
for analysis. 


The Extraction Summary tab has the following sub tabs: 


>» All Content: Includes information on the extractions, device information and device 
content. For more information, see All Content tab (below). 


» Extractions: A tab for each type of extraction performed. See Extraction tabs [on 
page 41). 


3.2.2.1. All Content tab 


The All Content tab includes the following information: 


Extractions (on the facing page) 
Case Information [on page 38) 
Device Info (on page 39) 

Device Content [on page 40) 
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3.2.2.1.1. Extractions 


This section includes information related to the device extractions. 


v) Extractions: 1 


Physical “” 


Samsung GSM GT-i9205 Samsung Galaxy Me... 
Physical [ Bootloader ] 
Extraction start date/time 


11/23/2015 4:11:53 PM(UTC+2) 


traction enc date/ume 


11/23/2015 5:12:23 PM(UTC+2) 
CAUsers\alizas\Desktop\Physical Boot Loader... 


Figure: Project with multiple extractions 


The Extractions area includes the following information: 


Extraction link Link to the extraction tab. 
Device model Detected model e.g., MB717, Samsung GT-19205. 
Type of extraction Type of extraction performed e.g., Physical (Bootloader). 


Extraction start date/time 


S A When the extraction started and ended. 
Extraction end date/time 


Path to the extraction file | The location of the extraction file. 


To rename an extraction: 


Click the Edit button (7) or select the extraction name in the project tree, right-click and 
then select Rename. The following window appears. 
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Rename extraction 
Advanced Logical 


Enter a new name for the extraction: 


2. Enter anew name for the extraction and then click Save. 


To rename a project: 


1. Select the project name in the project tree. 


2. Right-click and then select Rename. The following window appears. 


@ Rename person x 


AdvancedLogical_2020-03-18_ Report #2 


Enter a new device name: 


3. Enter the required name for the project. 
4. Click Save. 


3.2.2.1.2. Case Information 


This section includes the case information, which is taken from the Project settings > Case 
Information. 


information 


44851/2015 
Kat Cheme (KitKAt) 
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3.2.2.1.3. Device Info 


This section displays a summary of the specific device information taken from the extraction 


file. 


The following example shows device information for a project with multiple extractions. 


Device Info 
Logical 
Detected manufacturer 
Detected model 
Phone revision 
IMEI 
Phone date/time 
Client Used for Extraction 
Extraction Notes 


Generic 


Physical 
Android ID 


Bluetooth MAC Address 
Bluetooth device name 
OS Version 

Detected Phone Model 
Android fingerprint 
Detected Phone Vendor 
Mac Address 

ICCID 

IMSI 

ICCID 

IMSI 

Phone Activation Time 
Factory number 

Locale language 
Country Name 

Time Zone 

IMEI 

Mock locations allowed 
Auto Time Zone 


Auto Time 


samsung 
GT-I9205 


44.2 KOT49H I9205XX\ 


357426050266879 
11/23/2015 3:54:03 PM 
Yes 


+ZZ — Extracted phone 
Last IMEI digit might bt 


5236fef524a49eea 
BC:72:B1:54:36:EA 
Galaxy Mega 

442 

GT-19205 
samsung/meliusitexx/n 
samsung 
BC:72:B1:54:36:EB 


425010776252947 
899720203585963501 
425020358596350 
6/1/2015 1:34:21 PM(U 
RF1D575GRBB 

en 

US 

Asia/Jerusalem 
357426050266879 
False 

True 

False 


Information from XML 
Information from XML 
Information from XML 
Information from XML 
Information from XML 
Information from XML 


Information from XML 


settings.db-wal : 0xA9... 
settings.db-wal : OxAF... 
settings.db-wal : OxAF... 
build.prop : OxED 
build.prop : 0x143 
build.prop : 0x3C5 


build.prop : 0x18D 
.mac.info : 0x0 


com.android.phone p... 
CheckinService.xml : 0... 


CheckinService.xml : 0... 


serial no : 0x0 
persistsys.lanquage :... 
persist.sys.timezone :... 
2400257.cfg : 0x100 
com.android.settings ... 
com.android.settings ... 
com.android.settings ... 
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3.2.2.1.4. Device Content 


This section includes the analyzed content, which is divided into the following categories: 


» Phone Data: The types of analyzed device data found in the extraction, such as call logs, 
contacts, instant messages, and so on. 


» Data Files: The types of standard data files found in the extraction, such as applications, 


audio, configurations, images, videos, text files, and uncategorized. 
» Camera Evidence: Pictures or videos of a device. 


>» Phone Evidence: Screenshots of the device. 


Content 


2 30 data sources can be extracted using UFED Cloud 


Dat 


a 
© Device Locators 3871 26 


£3 Installed Applications 420 ® Instant Messages @ Maps 


# Notes 101 a sswords 33 
8y User Accounts 148 B3 User Dictionary 3785 
© Web History 419 


4 


Q Searched Items 143 


M Web Bookmarks 130 


The number in white indicates the total number of items, and the number 


in red (in parenthesis) indicates that the item was found in deleted data. 


Chapter 3: 40 


3.2.2.2. Extraction tabs 


An extraction tab is displayed for each type of extraction. The extraction tabs display 
extraction information such as when the extraction was performed, by what Cellebrite UFED 
unit, using which cable as well as Image Hash Information, which is used for the verification 
of the logged hash values of the parsed images. In each extraction tab you can use the find 
box to search for device specific information. 


Extraction information includes the following: 


Extraction start date/time 


$ d When the extraction started and ended. 
Extraction end date/time 


The serial number of the device that performed the extraction 
Unit Identifier (e.g., Cellebrite UFED Touch], or a unique ID if the extraction 
was performed by a PC application e.g., Cellebrite UFED 4PC). 


Unit Version Cellebrite UFED software version [e.g., 4.1.0.220] 

Selected Manufacturer Manufacturer of the device [e.g., Apple] 

Selected Device Name Device name [e.g., iPhone 4] 

Connection Type Cable used for the extraction (e.g., Cable No. 100) 
Extraction Type Type of extraction performed le.g., File system] 

Extraction ID Unique ID for each extraction type 

Extraction (UFD) file data integrity Corruption check status [e.g., Intact, Corrupt, Not Available] 


To display the relevant information in a new tab in the data display area, 


click any of the tree items. 


Protecting UFD and Extractions 


To enhance protection of extraction files, an implemented corruption check mechanism 
prevents data loss in transit and manual tempering of extractions. In the extraction 
Summary you can view one of the following corruption check statuses: 


>» Intact -in case the check succeeded. 
» Corrupt - in case the check fails. 


A status of “Not Available” will appear for extractions made with previous 


versions of Cellebrite Reader. 
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3.2.2.3. Investigation notes tab 


If the UFDR file includes notes that were added when the file was created, it will be displayed 
in the Investigation notes tab under the Extraction Summary. For each UFDR report, the 
report file path is also indicated. An example is displayed next. 


@ Extraction Summary (1) x 


All Content Physical Investigation notes 
= E 


Investigation notes 


Report file path: 
CATemp\2018-04-17.12-27-56\Person1\Person1_2018-04-17_Report.ufdr 


Investigation notes: 
Please note all the chats related to the selling and supply of drugs 


3.2.3. Data tabs 


Data tabs show files of a specific type (such as call log, contacts, SMS messages, and so on). 


Data in data tabs display the data in a variety of sub-tabs, depending on the type of data: 


>» Text view - View text files as text. 


» Table view - a list of all the files of a specific type limages, videos, audio, text, and so on) 
that were found during the data analysis process. 


» Thumbnail view - view images by thumbnail [for images only). 
» Folder view - view the folder structure of the data files paths in the reconstructed file 
system [for data files only). 


>» Image view - view the image. See Viewing image files [on page 58). 
» File Info - view information about the file. 
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3.2.3.1. Working in data tabs 
Selecting items 


Select items in the data display area to include them in any report you generate. By default, 
all items are selected. 


» To select multiple items, hold the SHIFT or CTRL keys [consecutive and nonconsecutive 
selection). 


» When an item Is selected, press the space bar to select or clear the check box, which 
indicates If the item should be included or excluded from the report. 


>» To select allitems at once, click = 


timeline). 


in the column header (table view, thumbnail view and 


» To select items and optionally include a timeframe: 


1. Click E and select Select items for report. 


Select items for report x] 


(i) You are about to select all items for the report. Continue? 


Select project: | @ Samsung GSM_GT-i9506 Galaxy 54 


Time range filter 


C Only events between these dates 


From: To: 


(J Include all related events: locations, etc. 


<= - 


2. To select all click Yes. 

3. To set a timeframe for selection: 
a. Check Only events between these dates. 
b. Select the From and To dates. 
c. Click Yes. 


To include related events select Include all related events: locations, 


etc. This action overrides the current selection. 


Unselecting items 


Unselect items in the data display area to exclude them from any report you generate. 
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>» To unselect all items at once, click ~ in the column header (table view, thumbnail view 
and timeline). 


Unselect items for report >] 


(i) You are about to clear all items for the report. Continue? 


Select project: | @ Samsung GSM_GT-i9506 Galaxy S4 
Time range filter 


C Only events between these dates 


From: To: 


(J Include all related events: locations, etc. 


EE - 


» To unselect items and optionally include a timeframe: 


1. Click E and select Unselect items for report. 
2. To unselect all click Yes. 
3. To seta timeframe to unselect items: 

a. Check Only events between these dates. 

b. Select the From and To dates. 

c. Click Yes. 


Sorting columns 
Sort each column alphabetically or by time. 
» Click the column header to toggle the order. 


Re-ordering the columns 


For your convenience, you can change the order of the columns. Your preference is retained 
for the duration of the session. 


» Drag the desired column to the desired location. 


Hide or show columns 


» Right-click the column header and select the column name in the list. 


Viewing more information 


For data tabs containing textual information, by default the right pane is open, displaying the 
selected item's information. 


» To close or open the right pane, click c 
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Exporting data 


1. To export the data in a particular tab, click the desired output in the toolbar: Excel Lal, 
HTML #), PDF fi, XML 2], KML © (location data only), or EML Ñ [email data only). 


[ag] Excel (only hash values) 
[ag] Excel 

(8) HTML 

PDF 

la] XML 

w 


Word 


The Export Dialog Window appears. 


File name: Report 
Save to: \\ptnas1\Home_Dirs\c!izaz\Documents\My Reports 
Report sub directory: AppleDev.2016-09-18.17-10-24 


Include translations 


Cancel 


2. Do one of the following: 


» Enter the path where you want to save the report. 


» Click | and browse to and select the desired location. 
3. Select the Include translations check box to include translated data. 
4. Click OK. 


The report is generated, and a message appears asking if you would like to open it in 
third party software. 


5. Click Yes or No. 


The file is opened in the default third party software. 


When exporting to EML, a file is created for each email. 


3.2.3.2. Table view for data files 
For data files, the table shows the following information: 


Check box | Indicates whether to include (checked) or exclude [unchecked] the item in the report generated. 
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Del? An icon indicating if the data file was deleted ©) or has an unknown status (gray dot). 


Image A thumbnail of the image or an icon of the file type. 
Name The file name. 

Path The root path of the data file. 

Size The size of file. 


Metadata Additional metadata of the data file. 


Created The creation time stamp of the data file. 
Modified The modification time stamp of the data file. 
Accessed The last access time stamp of the data file. 


In addition, indicators are displayed to show attachments, indicate video calls, and to show 
even direction. 


3.2.3.3. Table view for analyzed data 


For analyzed data, table view tabs display a list of all the events of a specific type (Call Log, 
Contacts, Instant messages, and so on) that were found during the data analysis process. 


* » call Log Goro 
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3.2.4. Notifications center 


The Notification center provides improved messaging to enable you to work seamlessness 
with notifications that keep you up to date with new features and capabilities of Cellebrite 
Reader so you will never miss a thing. In the Notification Center, you can view the latest 
alerts, news, warnings, and completed actions. 


To see your notifications. 


1. Click Notifications O on the top right. The following window appears. 


Notifications Center (6) 


results were found. A 


Hash set imported successfully. 
Hash set name: ProjectVic 


O Total carved locations: 8 


Hash set process completed successfully 


Hash set process completed successfully. 0 
results were found. 
Hash set imported successfully. 


Hash set name: ProjectVic 


| Location carving completed 


View all notifications 


The notification counter resets to zero after the messages have been 


reviewed. 


2. To open the Notifications center, click View all notifications. The following window 
appears. 
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@ Notifications Center (6) x 


(A) Notifications Center (6) 


Category * | Clear All Search Q 


Hash set imported successfully. x Le 
Hash set name: NJ drugs cartel 


Hash set process completed successfully x 
Hash set process completed successfully. 0 results were found. 


Hash set imported successfully. x 
Hash set name: NJ drugs cartel 


Convert BSSID (wireless networks) and cell towers to locations: Time-limited free service x 


This extraction includes BSSID/cell tower values that can be converted to physical locations. 
To start using the BSSID feature, download the database. To enrich cell tower information, use the Export menu to send it by email 
to Cellebrite and import the converted values into UFED Physical Analyzer. 


2A View Instructions 


Recover additional location data: Time-limited free service x 


UFED Physical Analyzer now enables you enrich the location data recovered from mobile devices by converting BSSID (wireless 
network) and cell tower values to physical locations. 
The BSSID represents the wireless network MAC address. To start using the BSSID feature, download the database. 


To enrich cell tower information, use the Export menu to send it by email to Cellebrite and then import the converted values into 
UFED Physical Analyzer. 


View Instructions 


New capability x 
Use the Carve locations feature to extract and decode additional location data from unallocated space and unsupported 

databases. 

To start using this feature, open the device locations and click the carving icon or start the carving process from Tools > Get more 

data (Carving) > Carve locations. 


From this window, you can select the message category type to display, that is: Error, 
Information, Success, or Warning. You can also clear all the existing messages, search for 
a particular message, view details about the message, and hide messages. 
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4. Locating and analyzing information 


This section describes how to browse, search, filter, bookmark, and manage the information 


4.1. Searching for information in all open projects 


in your project. 


Use the all project search box in the toolbar to search for information in all open projects. 


iF 


Type any string in the search box. 


A list of matching results appear under the search box. The results are sorted by open 


project. Within each open project, the results are sorted by categories according to type [ 


messages, contacts, files, and so on). The number of matching results found in each type 


category is also displayed. 


money] x |v ) Advanced 


Show All (5) 


v ) Samsung GSM_GT-i9506 Galaxy $4_2020-05... (5) 


v) AdvancedLogical_2020-03-18 Report (0) 


2. Click to collapse or expand the projects. 


3. Do one of the following: 


» Click È next to the project name to view the results of the search in that extraction in 


a tab in the data display area. 


» Select Show All from the top of the quick results list to display a Search results tab in 
the data display area listing all the matching search results. The matching string in 
each item is indicated. As in the quick results list, the Search results tab lists the 


results by type. An example is displayed next. 
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© Extraction Summary (2) O SMS Messages (210) © Search results (money) (5) x 


—ve O type Fields Content 


i no ee ame lobileQO/qbiz/html5/351/3gimg.qq.com/qq, product operations/he... 


a User Dictionary| Word money 


8 
= 
Ei 


You can create tags for the global search results items by selecting the 


Tag All or Tag options by clicking , however Device Info and folder files 


cannot be tagged. 


Your recent search activity [up to 20 searches), including All projects 
search and table search are saved, until you close the application. 


4.2. Searching for information in a data tab 


In Table View tabs, search for a particular item within the data table. The search is 
performed on all the data entries within the table. 


» Inthe Table Search box, enter any string. 


The table updates to display only items containing the string you entered. 


4.3. Using the quick filter 


To improve accessibility the filters are now grouped under simple menus. An example is 
displayed next. 
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Filters ¥ 


A 
a 
_ 


Â > pB 


Known images 
Deleted 

Size 

Format 


Metadata 


Capture time 
Related items 
Direction 
Attachments 


Tags 


Only-non 
system 


unse ae 


Show all 
image sizes 


Display 
images above 
30 KB 


Display native or non-system images. Filter images that come 
with the device or as part of an app installation. By default, all 
system images are filtered. You can change this setting under 


Settings > Data Files. 


Display all items. This filter overrides the filters applied with the 
following three filters: Only selected, Only unselected, and 
Deleted. 


Display only items that are selected. 
Display only items that are not selected. 


Display only deleted items. 


Display all images. This filter overrides the filters applied with 
the following three filters: Display images above 30 KB, above 
100 KB, and above 500 KB. 


Display only small images above 30 KB. 
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Display 
images above 
100 KB 


Display 
images above 
500 KB 


Filter images 
(by signature] 


Show JPEG 
Show GIF 
Show BMP 


Show PNG 


Metadata 


Capture time 


Translation 
filter 


Related items 


Translation 
commands 


Display only medium-sized images above 100 KB. 


Display only large images above 500 KB. 


Click to enable file type filtering: JPEG, GIF, BMP, or PNG. 
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ilter image and video files by Metadata (All, Without metadata 
or Has metadata) and Location (All, Has location or Without 


location). 


Filter image and video files by capture time. The maximum 
range is displayed by default, and you can select a specific date 


and time range. 


Filter translated text to display all text, translated text or text 


that has not been translated. 


Filter related items for extractions, which is very useful when 
working with the Multiple Extractions feature. All displays all 
items, Only deduplications displays only items that include 
deduplications (duplicate or redundant data], Only non- 
deduplications displays only items that do not include 


deduplications, and Only items with additional data displays only 


items that include additional information. 


Translate all or selected texts, or delete translations. 


Open a conversation tab that displays the item and related 


messages. 
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Open ot TOE . 
a te Open all messages within a conversation in a table view. 


Filter data files with attachments. All is for all data files 
Attachment Attachments is for data files with attachments, and Not 


attachments is for data files that are not attachments. 


Filter attachments that were sent or received. All is for all 
Attachment attachments, Sent is for attachments that were sent, Received 
filter is for attachments that were received, and Unknown is for 


unknown attachments. 


E5 


Attachment Filter by the attachment’s source app. All apps in the extraction 


i, 
se 
i. 

— 


source app are listed. Select the apps to display and then click Finish. 


Teg Tag selected items. 
Remove a tag from the selected items. 
Manage tags Open the Manage tags window. 


Open SQLite Open the SQLite wizard to build SQL queries and map database 


wizard fields to Cellebrite Reader models. 


Hide/view Hide the lower pane with map item details. Click again to open 


lower pane the pane. 


Hide/view Hide the right pane with item details. Click again to open the 


right pane pane. 


Export the current view to an Excel (only hash values], Excel, 

Diii Export HTML, PDF, XML, Word file, Project VIC (JSON), or GriffEye 
format (* C4P Index.xml. You can import the exported image or 
video files into Griffeye using a C4All XML data source. 


Location filter | Filter the locations displayed on the map. 
Retrieve 

oe | Retrieve a physical address for the selected location. 
address 


ian 
hall 
7 
ill 
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Group selected images or videos by time captured/recorded, 
LI Group by created, modified, accessed, or deleted, or by camera make or 


model. 


Remove all 


niter Remove all applied filters. 


The toolbar items are context-sensitive, and only appear when relevant 
data is displayed. 


4.4. Using the advanced filters 


In any Analyzed data or Data file window, the listed results are filtered by column. Click on 
the relevant column heading to view filter and sort options. An example is displayed next. 


© Extraction Summary (2) =  @ SMS Messages (210) x 


zou zz ams a 
> SMS Message Soto ~ 


© -+ 
| ee 
kdi 


Timestamp: 9/3/2019 9:0909 AM(UTC=0) 


Delneredt 
Export» Filters» Actions * e: ajs Read: 
= = os Status: Reed 
BO m =v |9 _|X|A Timestamp + | Delivered 7 | Read > Folder Parties Saai espana teed 
E «= nS 
3 | Sort Descending Soci 
1 2 G From: 00099828888 
el All timestamps 
1 3 as z From: 00099777777 
Li a 4 € From: 00099666666 i 
< May 2020 > ‘ May 2020 > Parties 
L 5 č ST = ~ ara From: VKeom From: 00099999999 Data All 
[i 5 € 7 7 0 2 From: VKcom = 
ee a Ys Se se ues Body [ri] 1 
G Ug 3 4 * 7 @ 9 345 6 7 8 9 ‘rom: VKcom 
i a 7 < From: VK Deleted 
wn B 4 5 16 wn Rr B 4 5 6 InlnboxUnread 
L 8 Ao From: VKcom 
v7 wp DN DB B vw 9 0a wD az 
Li 3 < a 25 Æ| 2 2 30 a as æ | 27| 2B 29 30 From: VKcom 
E 10 e a Se : a E i From: VKeom 
i n ¢) | Midiy hmmss tt] M/dfyyyy hems t From: VKcom 
1 R + aa Cancel From: +44776814706: 
1 B 11/23/2015 7:11.04 AMUTC=. Inbox From: +4477814706! 
I 1 A 11/22/201532337 PMUUICs. Inbox From: +44177814706: 
Li 1 1171772015 10:29:07 AM(UTC.. Inbox From: + 44778147065 
LI 1 117172015 73752 AMIUTC*. Outbox To: 0543107407 Jat 
r a 7 x AË 11/4/2015 8:51:12 AM(UTC+0) Inbox From: 11111111 Ge 
r B x A 10710/2015 81049 AMUTC=. Sent Te: 0548259104 Ne 


208/208 Selected: 208 


When a filter is selected, only relevant results will be displayed. 
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4.5. Using advanced search 
Using the new Advanced Search capability, narrow the scope of queries by applying filters 
and specifying additional requirements for a search. This functionality enables: 


» Multiple keywords search 

>» And, or and exclude 

» Searching in files content 

To start using the Advanced Search: 


1. Click Advanced at the top right of the screen. 


hd Advanced 


The following window appears. 


Advanced search 
© Any of these terms: 


All of these terms: 


None of these terms: 


Search in: @ SOMA _iOS_12.0_iOS Method1.fuzzy 


go Search file contents 
Note: This process may take several minutes. 


Enter any, all or none of these terms. 
Use a comma to separate terms. 


Select the project (or search all projects). 


Ot ee lS 


Optionally select Search file contents to search in the contents of files within the extracted 
device [including file formats such as XML, plist, txt, DB, PDF, xlsx, DOCX, etc). 


6. Click Search. 


Search results are presented in a separate Advanced search results tab, where you can 
view results, tag and mark items to include in your report. 
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@ Advanced search results:(3) A... X 


Co} Advanced search results:(3) Any:(‘sticker’) 
rsy v | Table Search Q x Chat Goto ~ 
-v |s SJ Type v Fields ¥ Content 
^ Chats (3) 
w] 2 Chats Messages & Chat: 1D: ‘ONE_TO_ONE:100009393292710:100 
‘ou sent a sticker.{ (009710616327 
= Source: Facebook 
3 Chats Messages ee ee eee e i Start Time: 11/10/2015 5:27:36 PM(UTC+2) 
1000097 10616327 =>: Sure (11/8/2015 10:46:30 AM(UTC+2)) 
Last Activity: 11/11/2015 3:02:56 PM(UTC+2) 
Number of attachments: 5 
< > Extraction: Physical 
Tota:3 Deduplication:0 Items: 3/3 Selected: 3 ces v 


4.6. Accessing conversation view 


Communication-based data, such as call logs, email, Instant messages, and so on, can be 
displayed in a conversation view layout for easier and better tracking over the 
communication between two or more parties. You can search for messages within a chat, 
select the messages to include within a report (by default all chat messages are included), or 


export the conversation. 


Messages in the conversation have an indication of how they were sent - 
PC, mobile, or Siri [for native iMessages). 


In some cases, mainly when messages have been deleted, they cannot be 
forensically placed in a Chat. To maintain forensic accuracy of the 
messages, they will be placed in Instant messages and available for 
review under Analyzed data > Instant messages. 


To access and use conversation view: 
1. In a communication-based data table, select one of the records. 
2. Click 2. 


A conversation tab opens, displaying related items as a conversation between the sending 
and receiving parties of the selected item. 
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FEET RE MEMES O ExractionSummary(t) = © Timeline(78) > © Phone 31) *  @ Conversation (SMS Message) = 


* » sms Message Golo > 


© 3E |. 
Analyzed Data 


Participants (1) 


Data alt 


Conversation 


All timestamps 


Parties 
C From 00025955099 Data Ai ]] 
Body a)» 


Deletes 


3. To translate or delete translated text, click Actions and then select Translate all, 
Translate selected or Delete all translations. 


Conversation View Messages View 


November 15, 2015 | Monday, November 16, 2015 | Tuesday, November 17, 2015 | Wednesday, November 18, 201| Thursday, November 19, 2015 | Friday, November 20, 2015 


* > @ Instant Mess 


© -+ 
Source: Skype 
Subject: 
Timestamp: 11/17; 


Status: 
Extraction: Physic 
SJ Export» Filters” Actions ¥ a Source file: userde 


Participants (2) 


Translation Commands 
Unknown (owner) 


© © ivescotticelleb 


¥ Right pane 


@ Sort by 


Jamescelleb Bond 
© © jamescellebond 
r Participants 
Conversation pa 
— ~ Select/Deselect all 7 messages live:scotticelleb 

Jamescellebond 


live:scotticelleb Q 
EITS] Attachment 


Sources (1) 
SharedContact: 
(A Jamescelleb Bond 
Deleted message on Skype. 
@ sn7ra01s 03530 amure) ody 
Sources (1 
(2) Jamescelleb Bond Map 
© 11/17/2015 10:35:49 AM(UTC+0) Position: B2 
Sources (1 Map Address: 
live:scotticelleb 
<URIObject type="Picture.1" uri="https://apiasm.skype.com/v1/objects/0-neu-d5- Source 
fb7f8c6d0b878d98cc64407592c8529f" url_thumbnail="https://api.asm.skype.com/v1/objects/0-neu-d5- o ti 
fb7f8c6d0b878d98¢c64407592c8529f/views/imgtt” > You&amp;apos:ve received a new picture. View it at: <a Location 
href="https://api.asm-skype.com/s/i?0-neu-d5-fb7{8c6d0b878d98cc64407592c8529f">https:// 
api.asm.skype.com/s/i20-neu-d5-fb7#8c6d0b878d98cc64407592c8529f</a><OriginalName v=""/> <meta J Name: 
(2J 11/17/2015 1036:45 AM(UTC+0) an 
Type: 
Sources (1 Origin: 


To export the conversation, click Export. 
Select the desired output: 
Excel Æ|, HTML 4), PDF f, XML 2) or Word W. 
6. To change the order of the conversation, click Actions > Sort by and then select Oldest 
message first, or Newest message first. 
7. To filter messages, enter text in the search box or click Filter. 


X 


8. To add or edit tags, click S 


9. Select a check box to include specific messages in the report, {or select all messages or 
no messages). 


4.7. Viewing image files 


1. In the Analyzed data tab, go to Media > Images. 


2. Double click on Images to open the Images tab. 


If media classification was run on the extraction, you can double click 
the relevant category to open its tab. 


ES OP aM ji en 
Cai b Ei Ss 
apmeram. Ë 
a a ie = 


Adres 


Maw Ades: 


In the Images tab, you can select the view you wish to see the images. Available views 
include: 


>» Table view 


View a list of all images in table format. Double click on an image to open in a separate 
tab. 


>» Thumbnail view 
View images by thumbnail. Double click the image to open in Gallery view. 
» Folder view 


View the folder structure of the data files paths in the reconstructed file system. Double 
click an item to open in Gallery view. 


» Gallery view 
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View Images in gallery format, easily scrolling through images. 


Welcome =  @ Images -Cars (66) x © Extraction Summary (1) > © Videos (3) = © Images 237) 
Table View Thumbnail View Folder View Gallery View 


angus-gray-ekVeLdVolgw-unsplashjpg | 8/20/2020 4:26:51 PM +00:00 | 


Viewing single images 


1. In Gallery view, click Open in a new tab to view the image in a seperate tab. 


Welcome © Extraction Summary (1) @ Screenshot_2014-07-10-13-47... x © Images (276) 
Image view File Info 
ns 


d aN FEF 
TLO) 
j s 

y 


ar EY, 
+| Ca =| 
59% 
5S) 
4 
ch 


Hangouts 


VoiceiRecorden  Voicelsearch WatchON 


You 


me > ç) 
Tube 
YouTube Drive Play Games Samsung Hub Samsung Apps 


The sub tabs for each image include: 


» File info - view the file information. For example, the File metadata section includes 
information such as the Capture Time, which is the date and time a photo was taken. 
» Image view - Use the image controls as needed. 
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(< > When the image is enlarged, click to navigate the image. 
v 
(OGI Rotate image clockwise and anti-clockwise. 
PP Zoom in and out. You can also adjust the zoom using the slider. 
B Zoom to fit the tab. 
ch Reset the zoom to 100%. 
(«) Hide image controls. 
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4.8. Viewing video files 


1. In the Analyzed data tab, go to Media > Videos. 
2. Double click on Videos to open the Videos tab. 


If media classification was run on the extraction, you can double click 


the relevant category to open its tab. 


Welcome 


In the Videos tab, you can select the view you wish to see the videos. Available views include: 


» Table view 


View a list of all videos in table format. Double click on a video to open ina separate tab. 


» Thumbnail view 
View videos by thumbnail. Double click the video to open in Gallery view. 
» Folder view 


View the folder structure of the data files paths in the reconstructed file system. Double 
click an item to open in Gallery view. 


» Gallery view 


View videos in gallery format, easily scrolling through videos. If media classification was 
run on the extraction, view additional category details. 

Viewing single videos 

1. In Gallery view, click Open in a new tab to view the video ina seperate tab. 


The sub tabs for each video include: 
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» File info - view the file information. For example, the File metadata section includes 
information such as the Capture Time, which is the date and time the video was taken. 


» Video view - Play the video, view frames according to media categories. 
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4.9. Enrichment of BSSID and cell IDs 


Cellebrite Reader enables you to enrich the location data recovered from mobile devices by 


converting BSSID [wireless network] and cell IDs [cell tower] to physical locations. When 
viewing location data, BSSID values are displayed. An example is displayed next. 


ORME © Wireless Networks (1189) * Device Locations (2085) x Call Log (137) x Extraction Summary (1) x Cloud Data Sources (10) * Calendar (15) * Chats (433) 


© Wireless Networks (1189) 


g- D- B- & Si] n- 64-7 x Wireless Network Transite [Goto 7 
=v |e  |& |x) A) | Last Connected + | Last Auto Connected © Timestamp ~ | End Time v fesso + | ssia ess: 18647275398 
mais ae a Std: Celebite Mobile 
T nte. Guest 
= giiziak Security Mode: 
2 z= Last Connected: 
Last Auto Connected: 
M3 0711212015 150032TC-0} hiase72776a98 Cellebrite Mobile SNESEN a EA 
4 07/12/2015 14493210T +0) hisserarrsass Celebrit Mobile SS} 
Package ‘com google endroideppacrs 
fe | ee o 
m PEE z * E Source fie userdata (B08 /Roctcaal 
m s 07/12/2015 140R OAUTC +0) hase72 776000 Callebrite Mobile Sees 
ai F = herteved: OxA18? (Table local reports, Sie: 
7 (07/12/2015 13452000760) hssser2775a98 Cellebrite Mobile aa 
m e 0771212015 12770MUTC +0} hes47a776a9a Cellebrite Mobile Map 
m o 07/12/2015 121937UTC+0) hi8:54:72775a:98 Cellebrite Mobile Postion: 
Address 
w 07/12/2015 13:06531UTC+0) h18:54:7277:5a:98 Cellebrite Mobile bad 
mo n 0771212015 1244 03UTC=0} hasa2776a9a Calebrite Mobile 
Source 
Hm |s o7nziaais 12z5401UTC+0) hss«72775a98 Cellebnte Mobie 
Location Trarsare | Gora T 
n 07/12/2015 122235(UTC +0} hs4.72775090 Cellebrite Mobile 
Oo u 07722015 121859TC-0} hase72776090 Cellebrite Mobile Ld egy ON gered cone Glin 
Description:  comgoogleandroidappsges 
a oo 07/12/2015 120535(UTC +0) hssar277sa98 Celebre Mobile Type: 
Timestamp: 07/12/2015 142928(UTC+0) 
m |s 07/2/2015 1144390UTC +0} hisst72775090 Cellebrite Mobile sees 
m fr ornans 1a2a1qurc0} haser2776000 Cellebrite Mabie Map Adress: 
Precision 
8 0771212015 11:22480UTC +0} h8:54:72775a:9 Cellebrite Mobile ARA 
l 19 07/12/2015 11:0438(UTC-+0} [18:54:7277:6a:93 Cellebrite. Mabie m 
Category: Wireless Networks 
A x» 06712/2015 0%4710(UTC+0) ha5eTa776a9a Cellebrite Mobile i 
(0771212015 085424UTC=0} h8:5472775a:9e Cellkebrite Mobile 5 
Source fie: on Lacogieandroidams/ 
ica) 2 07/12/2015 0%:48.27(UTC+0} fiss64.72.77:63:02 CellebriteMobiie Sama 


Total 1188 Deduplication: 5 Items: 1184/1184 Selected: 1184 


If all BSSIDs/cell IDs have already been enriched, then the Enrichment 


feature is not available. 
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4.9.1. Online enrichment 


To enrich BSSID and cell tower IDs (online): 


1. If you have an Internet connection and you open an extraction with BSSID or cell IDs, the 
following window appears [the first time only). 


New: Data Enrichment Services Platform 


Cellebrite is pleased to announce the launch of our new 
complimentary, online platform that provides a growing number 
of services such as location and attribution enhancements. The 
first available service is location enrichment from wireless 
networks (BSSIDs) and cell towers (Cell IDs) enabling you to: 


+ Collect more data to make informed decisions 


+ Save time by collecting data from multiple sources 


2. Click Got it. The following window appears. 


Enrich your location data 


This extraction includes wireless networks (BSSIDs) or cell towers 
(Cell IDs), which you can enrich by converting to physical locations. 


Clicking Enrich will send the location data to the Cellebrite Data 
Enrichment Services Platform for conversion. Once this process 
completes, you will be notified and the coordinates will be added 
under Device Locations. 


Disable this service under General Settings > Data enrichment. Skip | 


3. Click Enrich to convert to the physical locations via the Enrichment service. 


Ep You will receive a notification when the process completes and the new 
locations will be added under Device Locations. 


You can also access Online enrichment from Tools > Enrichment of 
BSSIDs and Cell IDs. 
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To disable the automatic conversion of BSSID and cell tower IDs to physical locations: 


1. From the Tools menu, click Settings. 
2. Under General settings, scroll down to Data enrichment. 
3. Clear the Convert BSSID values (wireless network) to physical locations check box. 


4.10. Generating dictionary files 


Create dictionary files based on all the numeric and alphanumeric strings found in the 
project. Three types of files are created: 4-digit [numeric], 6-digit [numeric] and a full list of 
all strings (alphanumeric of length 1 and above]. These files can be useful for bruteforce 
methods to access other devices, accounts, files, or even computers that belong to the same 


person. 
To generate the word lists: 


1. Select Tools > Generate dictionary files. The following window appears. 


@ Generate dictionary files x | 
Create dictionary files based on all the numeric and alphanumeric strings found in the project. 

Three types of files are created: 4-digit (numeric), 6-digit (numeric) and a full list of all strings (alphanumeric of length 1 and above). 

These files can be useful for brute force methods to access other devices, accounts, files, or even computers that belong to the same person. 


Select projects: @ AdvancedLogical_ 2020-03-18 Report 


Your dictionary files will be saved here: 
\\ptnas1\Home_Dirs\Shoshanahs\Documents 
C Use as the default location for all dictionary files 


Select the required project. 
Click Change to change the default location where the text files will be saved. 

. Select the Use as default location for all dictionary files to change the default location. 
The default location is specified under Settings > General Settings. See General settings 


(on page 91). 
5. Click Generate. The dictionaries are created and the following notification is displayed. 


© 


Three dictionary files were created 


All files were saved to the specified 
location. 


Show in folder 
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6. Click Show in folder in the notification to access the word lists. An example is displayed 


next. 
Name Date modified Type Size 
B 4digits.txt 7/1/2019 2:22 PM Text Document 1 KB 
E] 6digits.txt 7/1/2019 2:22PM Text Document 1 KB 
E all.txt 7/1/2019 2:22 PM Text Document 166 KB 


4.11. Tags 


While reviewing events, contacts, etc., the investigator can tag items for future reference. 
Each item can have multiple tags. A tag is essentially a quick reference you can create on 
individual items: 

» An Analyzed Data item such as a call from the call log, a contact record, an email 


message, etc. See Analyzed data [on page 26). 
» A Data Files item such applications, archives, configurations, databases, and so on. See 
Data files [on page 28). 
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To tag an item: 


1. Click ©”. The following window appears. 


Search tags 


Clear All Manage tags 
(a) Case tags 


@ UnknownTag (No hot key) 
@ Evidence (F6) 

@ Important (F7) 

6 Pending (F8) 

® Completed (F9) 


©) Project VIC categories 


Description (optional) 


The window also includes Project VIC or CAID categories. 


To display other Project VIC/CAID categories, go to General settings > 
Hash sets. 


2. Choose the relevant tag and click OK. An example is shown next. 


© call Log 84) 
2 Eeg- 0- B- Qa Yo ert X 


L 
4 
* 


(loo © |X| A ci Parties Timestamp $| Duration Type 


la o From: 0722135809 7/6/2015 12:52:15 PM(UTC+3) 00:00:17 Incoming 


e From: +16508870260 7/6/2015 12:37:31 PM(UTC+3) 00:00:17 Incoming 


Banana From: 048367286 7/5/2015 2:03:12 PM(UTC+3) 00:00:00 Unknown 


Hanana ( To: 911 5/3/2015 5:15:22 PM(UTC+3) 00:00:00 Outgoing 


A S S B #8 


Bosooo 5/3/2015 3:18:40 PM(UTC+3) 00:00:00 Outgoing 


[$] 


4/29/2015 11:17:49 AM(UTC+3) 00:00:00 Outgoing 
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To remove a tag, click ©. 


The tags you create can be viewed via the Tags tree item. The number of tags in the project 
is shown in brackets next to the section name. You can create or remove multiple tags. 


Double-click the Tags tree item to list the tags in a tab in the data display area. Selected 
tags are included in reports that you generate. 


To manage tags: 


1. Click ©”. The following window appears. 


Define your tags names, colors and hotkeys 


Search tags Q 


a Global tags + Import £ Export New tag 


Pending 


0 
Impotant 0 
0 
0 


Complete 


v Project VIC categories 


The window also includes Project VIC or CAID categories. 


Define each tag's name, color, and HotKey, as desired. 
To delete a tag, click @ next to the tag name. 
To create a new tag, click New tag. A new line appears. 


To export tags click Export a list of tag labels. 


Ge Olay A? 


To import tags click Import a list of tag labels. 
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4.12. Viewing online maps 


The maps function is available to Cellebrite Reader users with a valid license. The locations 
are presented with an icon displaying the location type. Filter the locations based on multiple 
attributes including date, time and location type. 


@ Device Locations (49396) x 


(o) Device Locations (49396) 


Sv | = = | Export’ Filters» Actions ¥ | Table Sear Q 
e) N A E ColmenarViejo a p = 
Search for address or location: Searct 
5 ae Set À ease esis 
ias Nenda San Lorenzo de El Manzanares ĝ 
Marqués Escorial Tres'Çantos sA Algete ove 
El Escorial 
fonbe ™ Galapagar 3 d Azyĥuecgde Chiloeches — Horche 
el, Colmenarejo i Tanad de Meco jenafes 
Monte de El Parde y% Arriba 
El Ri Y P 
1 Ri £ me 
-} hr c Valdemorillo LagRdeasde | 33 ZK 
odid. o ala de 
jenares 
FN a jadahonda a 
Cebreros Villanueva de la Romie 28 ——Tortejon de Ardgz Ue 
Cañada Marcon) Villalbilla rae 
El Tiemblo ree ATA n ji Pastrana 
E a ` del Campo 
Velilla dësan 
Hruelas ari ee ‘Antonio. Nuevo Baztan 
faldeiglesias Sevilla La Nueva eee x 
| Us] 3 Vatiamadrid ‘Campo Real 
i Mondéjar 
te Cadat de los | Aganda délRey —_Valdilecha Almoguera 
Villa del Prado So a p d 
Cenicientos ii Carabaña 
drid Tielmes 
bn iad El Alamo P Morata de 
. - iñó aivMartin dela Vega Tajuña 
PEE ELL EE Valfiojado a = (n) 
ey X A Estremera 
Escalona PEN Soans 
BDO w -v : © XA origin Y Timestamp X | End time Y Position Y | Aggregated locations ¥ | Map Address 
1 W 1/13/2011 8:37:55 AM(UTC +0) (32.041300, 34.887617) jad 
2 kd 1/13/2011 8:37:55 AM(UTC+0) (82.022106, 34.770242) 
l 3 k-i 1/13/2011 837:55 AM(UTC+0) (32.181898, 34.864413) 


4.12.1. Search and jump to a location on the map 


A hian n a 


C. d'Arístides Maillol, 12, 08028 Barcelona, Spain 


You can use this 
capability to view all 
location related events 
for a specified address. 
Search for the specific 
location or zoom-in to 
the desired location on the map, and all other location related events that occurred in the 
vicinity will appear on the map. You can search for a location while working in online mode, 
by typing an address, position [coordinates] or the name of a place. 


4.12.2. Device origin 


The Origin column classifies each recovered location record by its origin: Device or External. 
You can view and filter for locations that are related and unrelated to the device user's 
activities. (This does not mean the device has physically been in this location). For example: 
A picture taken by the camera on a digital device is classified as a Device location. While a 
picture received on the device is marked as an External location, because the location is 
related to the image sender. Classified locations are highlighted with a different color on the 
map. 
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Locations that cannot be classified are shown as Blanks i.e., unknown. 


4.12.3. Using the map 


Users can browse and search topographically-shaded street maps for many cities worldwide. 
Two types of map views are available to users: Road View and Aerial View. 


» Road View: Road view is the default map view and displays vector imagery of roads, 
buildings, and geography. 

» Aerial View: Aerial view overlays satellite imagery onto the map and highlights roads and 
major landmarks for easy identification amongst the satellite images. 


To highlight locations in the table: 
» Click or zoom in to a location on the map. 
Lancastér panny; ` <A 
Heights 
Willow mee Se Se 
Street West C 
New Providence 


Marlboro | (322) 


Little 
Britain rai ora 


‘Rising Sun 


Susquehanna 
Trails 


Œ Dublin 


Jarrettsville 


Bridgeton 


Related events are displayed on the right pane under Locations. 
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Locations (11) 
1 A 1/13/2011 10:37:55 AM(UTC+2) (32.102162, 34.851047) Ha} 
2 A 1/13/2011 10:37:55 AM(UTC+2) (32.102162, 34.851047) 
3 a 1/13/2011 10:37:55 AM(UTC+2) (32.102162, 34.851047) 
4 è 1/13/2011 10:37:55 AM(UTC+2) (32.102162, 34.851047) 
5 A 1/13/2011 10:37:55 AM(UTC+2) (32.102162, 34.851047) 
7 A 1/13/2011 10:37:55 AM(UTC+2) (32.102162, 34.851047) 
8 x 1/13/2011 10:37:55 AM(UTC+2) (32.102162, 34.851047) 
9 Y 1/13/2011 10:37:55 AM(UTC+2) (32.102162, 34.851047) v 
Location Translate Goto 7 
Name: 
Description: MCC=425 MNC=1 LAC=5700 
Type: 
Timestamp: 1/13/2011 10:37:55 AM(UTC+2) 
End Time: 
Precision: 17900 
Confidence: 70 
Map: 
Category: Reminder 
Address: 


Extraction: Legacy 


Source file: 


To jump or link to the timeline: 
» Click Go to on the right pane and select Timeline. 


A new Timeline tab appears and the selected location is highlighted in the Table view. 


71 


4.13. Recording screen captures and video 


Use the Capture tool to record screen captures and videos. This enables you to quickly and 
clearly document and explain your digital investigative processes, build visual reports that 
are easy to present and share, and communicate with other personnel more effectively. 


For each screen capture or video recording, you can select an area, enter a label, add notes, 
save to a project or location on your computer, and include it in a report. The screen 
captures and videos can be included in all report formats including UFDR files, which can 
then be presented in Cellebrite Reader. 


To use this tool, you need to have an activated version of Cellebrite 
Reader. For information on how to activate, see Activating Cellebrite 
Reader (on page 11). 


The screen capture and video recording feature is only available with an activated version of Cellebrite Reader. 
Click Active Reader. 


No thanks | Activate Reader 


This tool requires a one- time installation [with the proper admin 
permission]. 


You are about to install the Cellebrite capture tool. 
(Admin permissions are required.) 


Cancel Install 


Bp To use the Capture tool and play video playback, you need Windows 
Media Player (default version for installed OS or higher). 
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To perform a screen capture or video recording: 


1. Click Screen capture i, The screen capture window appears. 


Screen capture 


2. Select Screenshot or Video. 


4.13.1. Screenshot 


1. Click Capture ©, 


2. Select the capture area. The screenshot is taken and the following window appears. 


@ 
File name Category 


ScreenShot _20200531-120646 


Welcome © Extraction Summary (1) © Chat (Facebook) (21) @ Facebook Chat (18) x 


W Draw Conversation View Messages View 


ii 


< 


=E fo E] 


Cancel Copy to Clipboard Save as a file Add to project 


3. Use the default file name or enter a new name. 


You cannot use the same file name that exists in another open project. 


4. Select a category or enter a new category. The system remembers a maximum of 10 
categories. The default category is "No category". The screen capture is displayed under 
the selected category in the project tree. 

Enter any notes to describe the screen capture. 
If required, you can use the Tools on the left to add text, draw shapes, crop, resize, rotate, 
or flip the screen capture. 

7. Click Copy to Clipboard to copy the screenshot, click Save as a file to save the screenshot 
to your computer lor network location), or Add to project to add the screenshot to a 
specific Cellebrite Reader project. 
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Screenshots and videos are added to the Reports view project tree 


under Additional files. 


4.13.2. Video 


1. Enable or disable the microphone a 


Click Capture Q, 


3. Select the capture area. The video recording begins. 


4. Perform the relevant actions that you want to record. 


5. When you've finished, click Stop 0 or Pause 0. The following window appears. 
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“© © 


Screen capture - a x 


File name Category 


ScreenRecording_20185923-115916 


Note 


<4 > ġġ =e 


| Cancel | Save to disk Add to project z 


Use the default file name or enter a new name. 


You cannot use the same file name that exists in another open project. 


Select a category or enter a new category. The system remembers a maximum of 10 
categories. The default category is "No category". The video is displayed under the 
selected category in the project tree. 


Enter any notes to describe the video. 


Click Save as a file to save the video to your computer [or network location] or Add to 
project to add the video to a specific Cellebrite Reader project. 


Videos can be a maximum two hours long. 
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4.14. Media classification 


The media classification feature classifies images and videos based on categories that are 
relevant to a case. 


When an extraction is decoded in Physical Analyzer with this feature enabled, machine 
learning algorithms automatically scan and classify all media items in the case to the 
following categories: 


» Camera » Jewelry 

» Cars » Maps 

» Credit cards » Money [cash] 

» Documents » Motorcycles 

» Drugs » Nudity 

» Faces » Photo IDs 

» Flags » Screenshots 

» Food » Smartphones 

» Gatherings » Suspected CSA (Child Sexual Abuse] 
» Hand hold object » Tattoos 

» Handwriting » Vehicle dashboards 
» Hotel rooms » Weapons 

» Invoices 


Viewing and analyzing classified media 


Once the report is loaded into Cellebrite Reader, there are three ways to view media items 
according to their classification. 
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1. Analyzed data tree 
a. Click on the Analyzed data menu item. 
b. Go to Media > Images or Media > Videos 


c. Double click a category to view the items. 


i) 


ImageClasificationDump2..> ; Ot ae Rene 


ELETE 


paman 


2. Filtering the media by classification type 

a. Click on the Analyzed data menu item. 

b. Under Media tree item, double click Images or Videos. 
Click Filters > Classification type.. 


O 


d. Select or unselect the categories to display. 


IO © samsung GSM_SM-G97.. Welcome (© Extraction Summary (1) x O Madia Classifiations mem © images 010732) 2) x O Timeline (2377) 
SBEN | Thuntral View | Folder Y Vow 
> Images 
e@» + 
L 
ara oare 
= a a a a a 
Bo CE ao a a a 
a a a a a 
a a a a a a 
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3. Insights 
a. Go to the Insights menu item. 
b. Double click Media classifications. 


c. Double click on a category to view the items. 


Media classification score control 


Each classfied media item is given a score (0-100%) based on classification accuracy. When 
viewing specific categories, the media items are sorted by score from highest to lowest 


score. 
You can use the classification score filter to display results within a certain range. 


In the example below, the classification score filter is set to display only those results with a 
score of 80% or higher. This filters out less accurate results. 


Filters ¥ Actions ¥ 


— v | 2 Filters applied ¥ Clear filters 
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5. Generating a report 


You can generate a report of the information in the project. Cellebrite Reader provides a 
report wizard to help you through the steps of creating a report. 


To generate a Preliminary device report, see Generating a Preliminary device report (on 


page 89). 


To generate a report, perform the following steps: 


1. Select Report > Generate Report from the application menu. The Generate Report 


window appears. 


Generate Report 
Â General General 


Report Dataset File name: 


Samsung GSM_GT-i92 Save te 
Report sub directory: 
Security 


Project 
Formatting Format 
Table Sorting Case Information 


Examiner name: 
Location: 

Case number: 
Case name: 
Evidence number: 
Department: 
Organization: 
Investigator: 
Crime type: 


Notes: 


Update report settings 


Samsung GSM_GT-i9205 Samsung Galaxy Mega 6.3_2019-08-21_Report 
C:\JK_Work 
2019-08-21.15-58-56 


Samsung GSM_GT-i9205 Samsung Galaxy Mega 6.3 


UFDR (For Cellebrite Reader or Analytics) 


PDF Report 


HTML Report 


Excel Workbook (xlsx) 


Hene 


Excel 97-2003 (xls) 


Word report 


J 


XML Report 


Close 


Browse 


Cancel 


2. Enter the relevant information in the General fields. 


Enter or edit the name for the new report. 


The default report name is: project name date Report 


eg- Drone DJI= Inspire 2 2017=12=25_ Report 


File name 
When more than one project is selected, the default name is: 
[Project_name] date Report 
ed [Project_name] 2017-12-25 Report 
Save to Enter a location where the new report folder will be created. 
Report sub Enter a name for the new sub-folder containing the report(s). The default sub directory name is 
directory the current date and time. 
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Choose the project(s) to include in this report. Only projects that are already opened in Cellebrite 


proie Reader are available for reporting. 
Choose report formatls). If multiple formats are chosen, a report will be generated for each 
format. 

Format 


Microsoft Excel 2003 reports that contain more than 65,536 rows cannot 


be opened in their entirety. 


Fields in red are mandatory. 


3. Enter the relevant information in the Case information fields. 


Listed are the default settings for these fields. See Setting the case 
information (on page 106). See Additional report fields [on page 98) and 


Report defaults [on page 99) for other defaults. Additionally, the last 10 
values entered in these fields are also available in the drop down. 


4. Click Next. The Report dataset window appears. 
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5.1. Report dataset settings 


The dataset settings enable you to choose events between specific dates and what data to 
include in the report. 


Generate Report = O x 
Report Dataset - Samsung GSM_SM-G955FD Galaxy $8+ Rene Gade 
General 
~ [E Time range filter 
Report Dataset 
C Only events between these dates 
Samsung GSM_... From: — To: = 
Security 
——— O Include items without a timestamp 
Formatting = 
|=) Data types 
Table Sorting E Select/Deselect All Enter text to filte Q 
PDF Report Applications (3/3) Images (31303/31303) 
Archives (147/147) Installed Applications (100/100) 
Audio (247/247) Instant Messages (188/188) 
Autofill (4/4) Locations (9258/9259) 
Call Log (30/30) Passwords (355/355) 
Chats (60/60) Searched Items (14/14) 
Configurations (50/50) Shortcuts (1/1) 
Contacts (372/372) Social Media (79/79) 
Cookies (690/690) Text (4227/4227) 
|=) Preferences 
© Tags table (4/4) Redact all attachments 
Tags only (5/5) Include Hash set results 
Redact all attachments 
Select tags 3/3 C Redact image thumbnails 
Include merged items (analyzed data) 
Calculate SHA-2 (256 bit) hash LJ Include merged items (data files) 
Calculate MDS (128 bit) hash Include conversation bubbles 
laclude translations LJ Include source info indication 
inchude known fies Include enrichments 
AP E E N Hide extraction source indication 
Include Hash set results Include account package 
Update report settings Previous Next Finish Cancel 


To complete the Report dataset settings, perform the following steps: 


1. To use the optional time range filter, in the Report range filter area select the Include 
only events between these dates check box, enter the date range and click Apply to 
update the data in the Extraction area. 


Select the include items without a timestamp check box to include 


events that do not have a timestamp. 


2. Under the Data types heading, select the analyzed data and the data files to be included in 
the report. 


The data types listed will vary based on the data available in the 
selected projects, and include all the data sets listed under Analyzed 


data and Data types in the project tree. 


Next to each data type, the number of items to be included in the report is displayed, 
alongside the total number of items of this type. The number of items included in the 
report may change based on your choices in the following sections. 


3. Under the Preferences heading, select the data to be included in the report. 
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Tags table 


Tags only 


Select tags 3/3 


Calculate SHA-2 (256 
bit) hash 


Calculate MD5 (128 bit) 


hash 


Include translations 


Include known files 


Include Malware 
scanner results 


Include Hash set 
results 


Redact image 
thumbnails 


Include merged items 
- analyzed data and 
data files 


Include Reader 


Include conversation 
bubbles 
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Select to include tag table in the generated report. To specify which tag labels to 
include/exclude, click Select tags. 


Select to include tags only (disables all Data types except for Device info) in the generated 
report. To specify which tag labels to include/exclude, click Select tags. 


Click to select which specific tag labels you want to include/exclude in your report. 


This is usefulin cases where not all examiners should be exposed to all the tagged 
items in an extraction. 


Select which calculated MD5 and SHA256 hash keys to add to each Data Files item in the 
generated report. This selection is for the whole report and applies to all projects within 
the report. 


To shorten the report generation process of large projects, do not select the Hash 
options. 


Select to include translated text. 


This option enables you to include system images or files in your report. Clear this 
option to automatically filter out common/known/system images and save critical 
investigation time that would otherwise be spent reviewing media images such as device 
icons, or images that are included by default when installing apps. 


nclude results from Malware scanner. 


nclude results from hash databases run on the extraction. 


Select to redact image thumbnails from PDF, Word and HTML reports. 


Select to include merged data from the Analyzed data section and/or the Data files 
section of the project tree. 


The Include merged items options are unselected by default. When these settings are 
selected, your report will include all items including duplicate items. The total numbers 
of items selected for the report may change based on these settings. 


Select to share UFDR reports with authorized persons using the Reader. The Reader 
executable will then be included within the report output folder. This option is for the 
UFDR format only. 


Select to include the chat bubbles of the conversation in the report. 


To include the metadata of the chat bubbles make sure that the 
Include metadata in chat bubbles check box under Settings > 
Report Defaults is selected. 
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NS |: 


Include source info 
indication 


Include 
enrichments/Review 


Hide extraction source 
indication 


Include account 
package 


Include Activity sensor 
data samples 


Select to include the source file information (as displayed in the Source file information 
column). 


Select to include BSSID enrichments and Image classification. 


Select to hide extraction source types. If the check box is cleared, the report will indicate 
the type of extraction from which the field was obtained e.g., physical, logical, file 
system. If the check box is selected, the type of extraction will not be displayed. The 
check box is only relevant with the Multiple extraction feature. For single extractions, 
the extraction source type will not be displayed. 


Select to include an account package, which is an export file that contains user 
credentials. 


Select to include the sample data of all detailed measurements of the activity data. 


4. Click Next. The security screen appears. 
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5.2. Report security settings 


The report security settings includes two levels of protection: 


» UFDR protection: UFDR files hold sensitive, confidential and personal data. Adding this 
optional security layer enables you to better protect data contained in UFDR files. The 
Reader and Cellebrite Pathfinder solutions can automatically read UFDR files, even if the 
security layer is selected. If you are importing UFDR files into third-party tools, you should 
not select this option. 

>» Password protection: Apply password protection to Excel, PDF, UFDR, and Word reports. 


Generate Report = z! x 


Security 


General 


UFDR protection 
Protect UFDR files to increase the security of the data 


Report Dataset 


4 Samsung GSM_GT-i92... 


Apply to: UFDR 
Security 
Password protection 
matting Note: Add a password to further enhance report security. 
Table Sorting Apply to: üm 


UFDR (For Cellebrite R... Password: 


HTML Report Confirm password: 


Update report settings Previous Next Cancel 


To complete the security settings, perform the following steps: 

1. Select the UFDR check box if you would like to protect the UFDR file. 
2. Choose the report formats to protect with a password [optional]. 

3. Enter and confirm the password. 

4. Click Next. The Layout screen appears. 
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5.3. Report layout settings 


You can set the report layout to meet your agency's requirements. 


Generate Report — 
General Formatting - Table Sorting 
Report Dataset © View sorting 


Default sorting 
Root_2018-05-23_Rep... 


Security 

Formatting 
Table Sorting 
UFDR (For Cellebrite R... 
PDF Report 


HTML Report 


Previous Next Finish Cancel 


To complete the layout settings, perform the following steps: 


1. Select Default sorting to sort the items included in the generated report according to the 
default sorting set by Cellebrite for each of the Analyzed and Data file types, or clear 
Default sorting to sort the items according to the selected sorting field and the sorting 
order [ascending or descending) that was set by the user in each of the data display 
tables. 


2. For each format chosen for this report, you can specify report parameters as follows: 


Select to disable the separation and generate a report in which every data item is generated 
as a single section without subcategories separation. By default, a categorized report in 
Disable models which each category in the data items group is generated as a separate section in the report 
categorization is generated. For example, when generating a report with Call logs, select the check box to 
generate the Call logs as a single list, or clear the check box to break it to a separate list for 
each category of Call logs. 


Text area where you can enter and format custom text to appear in the report header before 


pore hearer the logo image. 


Click Select Image File to add the logo image to appear in the report header. Supported file 


Logo formats are: BMP, JPG, GIF, and PNG. 
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Logo Footer 


Show totals for 
items not in the 
report 


Show extended 
deleted state 


Number of lines 
for email preview 


Display full email 
body 


Number of 
messages per 
chat 


Display all chat 
messages 


Font Family 
Split HTML report 


Unprintable 
characters 
placeholder 


The Excel report 
is compatible with 
OpenOffice 


Generate Contact 
Identification Data 


Enter and format custom text to appear in the report footer after the logo image. 


Add a Total column to the report that displays the total number of items that were excluded 
from the report. 


Include the state (Intact, Deleted, or Unknown] of deleted items in the generated report. When 
not selected, logs only the state of deleted items as Yes, and is left empty for other states. 


Set the maximum number of lines from each email message to appear in the report. 


Display the entire message body. 


Set the maximum number of messages per chat message to appear in the report. 


Display all chat messages in the report. 


For PDF reports only. 


Ensure that each section of the report starts on a new page. For HTML reports only. 


Set the placeholder character to replace the unprintable characters. For Excel and ODS 
reports only. 


Select to ensure the Excel report can be opened in OpenOffice. For Excel and ODS reports 
only. 


Select to add a sheet to the Excel report that provides a list of unique contacts based on type. 
For Exceland ODS reports only. 


The parameters displayed will vary based on the report types you have 


chosen. 


3. Click Finish. 


Finish is unavailable until all the required fields are filled. A yellow 
warning icon is displayed next to all required fields that are not yet 


complete. 
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4. When the report is successfully generated, you are prompted to open the generated 
report file. The file opens using the associated application to the file format installed in 


the workstation. 


Once a report has been generated for the project, it can be accessed 
from the Reports section in the project tree. Double click on any of the 
generated reports to open it in the associated application installed in 


the workstation. Right click any of the generated reports to open the 
report file, or select Open containing folder to browse the files and 


folders of the report. 


5.3.1. Formatting the UFDR file 


This window enables you to split the UFDR file and add Investigation notes. 


= [m] x 


Generate Report 
General Formatting - UFDR (For Cellebrite Reader or Analytics) 
Report Dataset Split UFDR 

A Split UFDR file 
Logical 


Security 


matting 
. Investigati otes 
Table Sorting etree 


In the Cellebrite Reader, the Investigation notes will appear as a separate tab in the Extraction Summary 


UFDR (For Cellebrite... 


HTML Report 


Cellebrite Reader report language 
Select the report language for the Cellebrite Reader application | E English 


Update report settings 


5.3.1.1. Splitting the UFDR file 


Splitting a UFDR file enables you to divide a file [too large to fit onto storage media] into 
multiple smaller files, for easy transfer. Select 700 MB for CDs, 4.7 GB for DVD, or a custom 
file size between 100 MB to 10 GB. When you open the UFDR that has been split into 
separate files, Physical Analyzer will automatically merge all the files into a single report. 


To split the UFDR file: 

1. Select the Split UFDR file check box. 
2. Select the required file size. 

3. Click Next. 


To open the split UFDR in Cellebrite Reader select the main UFDR file 


(*.ufdr). 


5.3.1.2. Adding investigation notes 


lf required, enter notes in the area provided. These notes will be displayed as a separate tab 
in the Cellebrite Reader, under the Extraction Summary. 


5.3.1.3. Cellebrite Reader report language 


In some cases, UFDR reports are shared with colleagues that need to review it Ina different 
language. You can set the default interface language when opening a UFDR report. This 
allows the Cellebrite Reader to load in the predetermined language without the need to 
configure this in the Settings screen. The setting is stored for any UFDR that is created. In 
Cellebrite Reader a message will be displayed if the report language is different from the 
application. 


Chapter 5: 88 
OO 


5.4. Generating a Preliminary device report 


Generate an ‘at a glance’ intelligence report that includes parsed device information and 
user account information. Such reports can be used as a quick reference for the lab, 


prosecutors, and investigators. 


This report includes the device info and a hybrid of the data in the User accounts. This useful 
‘at a glance’ data can inform the investigation units about where other 3rd party evidence 
may reside and identify if accounts known to the investigation are still on the device. 


This PDF report can be emailed to the investigation unit as soon as Cellebrite Reader has 


finished loading the extraction. 
To generate a Preliminary device report: 


There are two ways to generate this report: 


» From main menu, select Reports > Generate preliminary device report. 


a 


Samsung GSM_SM-G 


Ctrl+R 


ammary (1) x 


All Content File System 


Extraction Summary 
Analyzed Data 


== Application (95) y) Extractions: 1 


% Calls (1) - File System P 
Samsung GSM SM-G977U Galaxy S10 


@ Contacts (8) File System [ Android ADB ] 


4 Devices & Networks (32) aes PM(UTC 7) 


12/4/2020 1:57:48 PM(UTC-7) 
C:A\Users\Cookies\Desktop\2021-01-1 


9 Location Related (41) 


v Ọ Device Locations (41) 


» Inthe Extraction summary click Generate preliminary device report. 
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ade a 
Welcome 

AilContent | Fie 
Extraction Summary Ad entation Add eternal te O Project settings B Germate report 


E Generate preliminary device report | © 


auld SM-G9777388 


The PDF report will be generated and stored to the default reporting path location. 
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6. Settings 


The Settings window provides a set of functional and behavioral setup options used to fine- 
tune and control the functionality and usability of the application. The settings in the Settings 
window apply to all the projects open in Cellebrite Reader. 


Changes to settings are lost when you close Cellebrite Reader. To save 


the settings configuration, see Saving settings [on page 104). 


To access the Settings window: 


» Select Tools > Settings. 


6.1. General settings 


Set general application settings in the General Settings tab. 


Localization 
or Interface language: E English 
General Settings The zane 
Always adjust timestamps to this time zone: (UTC+02:00) Jerusalem (Asia) 
Fall ®© Automatically adjust timestamps to UTC+0 
=>] Automatically adjust timestamps according to the device's time zone 
Data Files 7] Prompt when device time zone detected 
y| Use daylight savings Daylight Saving Time ... 
AA 
N o] Export 
Timeline = 
Encoding UTF-16 
Separator Tab 
$? 
= Dictionary files 
Interface Default Location: \\ptnas1\Home_Dirs\Jonathank\Documents Change 
Image hash verification 
a! Automatically verify images on project load 
y Extractions 
n es 7] Suggest restoring a session file when its corresponding extraction is loaded 
Thumbnail cache 
=y 
& V] Save project cached thumbnails. 10 
Report Defaults V] Load thumbnail cache to memory 
Views 
V] Check all entities by default 
Expand all entities by default 
Data enrichment 
[Z] Convert BSSID values (wireless network) to physical locations v 
e] E 
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Localization 
To set the interface language of Cellebrite Reader: 


» In the Localization area, in the Language list, select the desired interface language. 


The Smart Translator automatic language detection check box is 
selected by default and automatically identifies the Smart Translator 


language to which you want to translate. To manually select the Smart 
Translator language, clear the check box. 


Time zone 


To shift timestamps and enable daylight saving time: 


1. In the Time zone area, from the Time zone settings (UTC) list, select one of the time 
zones (UTC -11:00 to UTC +14:00) to recalculate network-defined timestamps according 
to the time zone offset. 


2. Select the Automatically adjust timestamps to UTC+0 check box, to automatically adjust 
timestamps to UTC+0. This setting is recommended when working on multiple extractions 
so that all records will be presented according to the same adjusted time zone offset. 


This check box is selected by default, but is disabled if the Always 


adjust timestamps to this time zone check box is selected. 


3. To enable the daylight saving time, select the Use daylight savings check box. 


4. To change the start and end dates for daylight saving time, click Daylight Saving Time. For 
more information on how to change the time zone settings, see Setting a unified time 
zone for the project [on page 104). 


To use the device's time zone if detected: 


» Inthe Time zone area, make sure that the Prompt when device time zone detected check 
box is selected. 


Export 


To set the encoding and separator of exported CSV files: 


1. In the Export area, select the desired encoding option from the Encoding list. 


2. Select the desired separator in the Separator list 
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Dictionary files 


To change the default location of the dictionary files: 


» In the Dictionary files area, click Change and select a new location to be used when 
creating dictionaries. 


Image hash verification 


To automatically verify images on project load: 


» In the Image hash verification area, Select the Automatically verify images on project load 
check box. 


Extractions 


To offer to load a session file (that was saved in the folder where the extraction is 
located) when opening its corresponding extraction: 


» In the Extractions area, select Suggest restoring a session file when its corresponding 
extraction is loaded. 


Thumbnail cache 
To set the number of extractions for the cached thumbnails in a project: 
>» Inthe Thumbnails area, select the number of extractions from 5 to 20. The default is 10. 


If you do not want to save the cached thumbnails: 


» In the Thumbnails area, clear the Save cached thumbnails in project check box. 

If you do not want to load the thumbnail cache to memory [to conserve disk space): 
» Inthe Thumbnails area, clear the Load thumbnail cache to memory check box. 
Views 


Selected entities are included in reports or results. 


To select all entities by default to be including in reports, for all views: 


>» In the Views area, select the Check all entities by default check box. 


To disable the What's new page: 


>» Inthe Views area, select the Disable What's new check box. 
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This setting controls the decoding of fts_messages.db which brings 
another source of data for WeChat app. This will give the potential to 
recover deleted and missing WeChat records and can bring duplications. 


To control the number of duplicates, unselect the Parse FTS content from 
WeChat check box. 


Network 


To disable network traffic (for example, will not check for new software versions): 


>»» In the Network area, clear the Disable network traffic check box. 


To enable Internet access for apps in the Virtual Analyzer: 


6.2. Data files 


Data Files 
gee 7] Tag all untagged files as “Uncategorized” | 
oe 
General Settings Filter system images by default 
Active Description Extensions Signature Filter Tag As 
teie | eset elt Ben beh | 
7) | Images + jpg:*,jpeg;*.gif*.png;*.bmp;*.wdp;*.tiff*.tif".webp;"wbmp;“theic*heif |7 signatures |_ |image 
all z | Videos > avi;*.mpg;*.wmv:*.3gp;*.3g2;*.mp4;*.mov;*.m4v;*.mod:*.vob;*.mts;*.asf*.wel3 signatures | |Video 
= ;*.vi;*.mkv;*.mį if:* heic ` 
Data Files : = - 
7 Audio ;*.midi;*.amr;*.aac;*.qcp;* .imy;*.mmf;*.xmf;*.m4a;*.m|5 signatures Audio 
|4r:*.3ga;”.ogg; ilk*.opus;”.tts;".aif;* aiff - 
FEN v7] Text *.txt;*.xml;*.html;*.csv;*.log 0 signatures || Text 
~ J) [Databases |7; 3 signatures |_|Database 
Timeline J) | Configurations |*. T signatures | _ |Configuration 
J (Applications |" e 2 signatures |. [Application 
1? g Documents fr: = doem; pdf”. : 7 Z signatures | [Document 
“a 
Interface Py Archives *.zip;*.zipx:*.rar;*.tar;*.gzip;*.7zip;*.7z;*.dar;*.gz;*.arj 1 signatures || |Archives 
7) | Exchange > pst:*.eml:*.emlc*.msg 1 signatures |. [Exchange 
E Î J) [Shortcut *Ink 1 signatures || |Shortcut 
Additional Report Fields 
je 
Report Defaults 
Restore Default (+E 


The Data Files settings determine the different file and tagging groups under the Data Files 
and Tags tree items, and the types of files filtered in each group. 


Tags and filters 


» Select to automatically tag untagged files as “Uncategorized.” 
» Select to filter system images by default. 
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Data file settings 


Every data file record contains the following settings: 


» 


>> 


»> 
>> 


»> 


Active - Indicates whether to display [checked] or hide [unchecked] this group of data files 
in the project tree. 


Description - A descriptive name for the type of data files to be used as the group name 
under the Data files tree item. 

Extensions - The file extensions to be used to filter the data files of this group. 

Signature filter - The header and/or footer signatures to be used to filter the data files of 
this group. 

Tag As - The tag name to be applied to the data file and used to list the files under Tags 
in the project tree. 


6.2.1. Data files filtering methods 


Groups can be filtered using one or more of the following methods: 


» 


» 


Signature filter: A signature filter is a definition of the file header and/or footer to be 
searched, in order to detect a file type and associate it with a specific Date File group. 
The header and/or footer can be configured in a defined range from the beginning and 
end of the file respectively by using the offset parameter. 

For example, a JPEG image starts with the header FF D8 FF and ends with the footer FF 
D9. Entering this information in the Header and Footer fields of the signature creates a 
Signature that identifies JPEG images. 


Extension filter: An extension filter is a list of common file extensions that are associated 
with file formats that belong to the specific data file group. 

For example, the different image file formats can be filtered by the file extensions *.jpg, 
* jpeg, *.gif, *.png or *.bmp. 


6.2.2. Managing data files settings 


Add new types of data files, and edit and delete existing data file types. 


6.2.2.1. Adding a new data file type 


1. 


In the Data Files settings, click © 


A new row is added to the list. 


2. Select Active to display the added data type in the Data Type tree item. 


3. Click in the new row's Description box, and type a file type description. 


4. If applicable, in the Extensions box, enter the file extensions commonly used by your data 


file type in the format *.xxx, and separated by ;. 


. If applicable, in the Signature filter box, click B and do any of the following: 
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Use Name Header Footer 
JPG Files \xDE\xAD \xBE\xEF 
PNG Files \x89PNG \xBE\xEF 


» Click BO., add a filtering signature that identifies your data file type. 
» Click 7 to edit an existing signature filter. 


» Click X to delete a signature filter. 
6. If applicable, click in the Tag As box, click and select a tag name from the list. 


7. To change the order of the data file types, use the arrows Lt 14] 
8. To clear the list of data file types you added, leaving only the default types, click Restore 


default. 
6.2.2.2. Editing an existing data file record 
1. Click the row of the data file type that you want to edit. 


2. Double-click in the column and row that you want to change, and update the existing 
settings as desired. 


6.2.2.3. Deleting a data file type 
1. Click the row of the data file type that you want to delete. 


2. Click EJ 
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6.3. Interface 


Set a theme for Cellebrite Reader, either light or dark interface. 


@ Settings - x 


^ Themes colors 


Sy 


Dark (Default Light 


. ———— 
General Settings , 


Data Files 


By 


G iO 


Models 


< TE ox Ao ooe 


Changing the interface configuration settings, will cause the application to 


close and then restart. 


97 


6.4. Additional report fields 


© Add New | & Restore default settings 


a) 


fO Name Required Type DefaultValue 
£038 qui ype ult Valur 


General Settings Examiner name v] Yes tring I 


~ 


Bef Department Yes 


E Location Yes String I 


Data Files 


Timeline 


$¢ 


Interface 
Fo 
Additional Report Fields 


Report Defaults 


| Export... Import... OK Cancel 


Optional information is user-defined information presented at the beginning of the report. It 
usually includes information about the case, investigator, and organization details. 


Every optional information record consists of the following: 


Name The name of the report field. 
Required Indicates if the field must be filled in order to generate the report. 
Type The types of entry - String or List. 


Default value | Default content. 
You can add new report fields, and edit and delete fields, as desired. 


6.4.1. Adding a new report field 
1. Click Add New. 


A new row is added to the table. 
In the Name column, enter the name label to be displayed. 
Select Required if this field must be filled in order for the user to generate the report. 
In the Type list, select one of the following: 
» String for text entry fields 
» List for a specified list of options 
5. In the Default Value box, set the default content: 
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>» For String type, type the default string. For a multi-line string, click 7 , enter the 
default string in the Option Editor, then click Save. 


Edit the default value text 


Cancel Save 


ick 7 


» Fora List type, cl 
click Save. 


, enter the list items with each item on a separate line, then 


6.4.2. Editing a report field 


» To edit a report field, perform steps 2-5 of Adding a new report field (on the previous 
page], changing the parameters to suit your needs. 


6.4.3. Deleting a report field 
x 


>» To delete a report field, click 


6.5. Report defaults 


The Report Defaults settings enable you to edit the report presentation. 
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Default folder = 
H 
£08 [CUK Work ] (Browse 
General Settings 
Output Image format (iOS): 
HEIC (default iOS format) / webp 7 
ey 
z Default sorting 
Data Files 
Calculate SHA-2 (256 bit) hash 
Q [Z] Calculate MDS (128 bit) hash 
Timeline Include translations 
cy Include merged items (analyzed data) 
Include source info indication 
Interface 
Include merged items (data files) 
[E i [7] Include Cellebrite Reader 
Additional Report Fields Include system images 
[7] Include enrichments 
=) 
& Hide extraction source indication 
Report Defaults 
[F] Include Thumbnail Cache 
Disable promotions in Cellebrite Reader 
[7] Full size images (screen capture) 
[V] Include chat bubbles e 
o] x 


Scroll down to see all the fields. 


» In the Report type list, select the report type that you want to edit. 
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General settings 


»> 


>> 


»> 


>> 


»> 


>> 


» 


»> 


>> 


»> 
>> 
»> 
»> 
>> 


» 


>> 


Default folder - enter the path to the folder where you want to save reports you generate 
for this report type. 

Select Default sorting to set sort the items included in the generated report according to 
the default sorting set by Cellebrite for each of the Analyzed and Data file types or clear 
Default sorting to sort the items according to the selected sorting field and the sorting 
order [ascending or descending) that was set by the user in each of the data display 
tables. 

Calculate SHA-2 (256 bit) hash and Calculate MD5 (128 bit hash) - Select which calculated 
MD5 and SHA256 hash keys to add to each Data Files item in the generated report. Do 
not select these options to shorten the report generation process of large projects. 
Include translations - Select to include any translated text in the report. 


Include merged items [analyzed data) - Select to include merged data from the Analyzed 
Data area. 

Include merged items (data files) - Select to include merged data from the Data Files 
area. 

Include Reader - Select to share UFDR reports with authorized persons using the 
Reader. This option is for the UFDR format only. The Reader executable will then be 
included within the report output folder. 

Include system images - Select to include system images [images that come with the 
device or as part of an app installation] as well as non-system images. 


Include account package - Select to include an account package with user credentials, 
which can be used by UFED Cloud. 


Include enrichments - Select to include BSSID enrichment data. 

Hide extraction source indication - Select to hide the source file information. 
Include Thumbnail Cache - Select to include the thumbail cache. 

Disable promotions in Reader - Select to disable promotions in Cellebrite Reader. 


Full size images (screen capture) - Select to include full size images from the Screen 
capture tool. 


Include chat bubbles - Select to include the chat bubbles of the conversation in the 
report. Select Include metadata in chat bubbles to include the metadata. 


Disable models categorization - select to disable the separation and generate a report in 
which every data items is generated as a single section without subcategories separation. 
By default, a categorized report in which each category in the data items group is 
generated as a separate section in the report is generated. For example, when 
generating a report with Call logs, select the check box to generate the Call logs as a 
single list, or clear the check box to break it to a separate list for each category of Call 
logs. 
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For Excel reports, set the following: 


>> 


>> 


>> 


>> 


Unprintable characters placeholder - Set the placeholder character to replace the 
unprintable characters. 

Output File Format - Set the output file format of the spreadsheet file to either: 

* XLSX - The current Excel file format. 

* XLS - The legacy file format of Excel. 

* ODS - The spread file format of OpenOffice. 

The excel report is compatible with OpenOffice - Select to ensure the Excel report can 
be opened in OpenOffice. 


Generate Contact Identification Data - Select to add a sheet to the Excel report that 
provides a list of unique contacts based on type. 


For HTML reports, set the following: 


> 


>> 


>> 


>> 
>> 


Logo Header - Enter and format custom text to appear in the report header before the 
logo image. 

Logo - Click Select Image File to add the logo image to appear in the report header. 
Supported file formats are: BMP, JPG, GIF, and PNG. 

Logo Footer - Enter and format custom text to appear in the report footer after the 
logo image. 

Show totals for items not in the report - Add a Total column to the report that displays 
the total number of items that were excluded from the report. 


Show extended deleted state - Include the state (Intact, Deleted, or Unknown] of 
deleted items in the generated report. When not selected, logs only the state of deleted 
items as Yes, and is left empty for other states. 


Number of lines for email preview - Set the maximum number of lines from each email 
message to appear in the report. 


Display full email body - Display the entire message body. 


Number of messages per chat - Set the maximum number of lines per chat message 
to appear in the report. 


Display all chat messages - Display all chat messages in the report. 
Split HTML report - Set each section of the report to start on a new page. 
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For PDF reports, set the following: 


>> 


>> 


> 


>> 


>> 


>> 


>> 
>> 


>> 


Logo Header - Enter and format custom text to appear in the report header before the 
logo image. 

Logo - Click Select Image File to add the logo image to appear in the report header. 
Supported file formats are: BMP, JPG, GIF, and PNG. 

Logo Footer - Enter and format custom text to appear in the report footer after the 
logo image. 

Show totals for items not in the report - Add a Total column to the report that displays 
the total number of items that were excluded from the report. 


Show extended deleted state - Include the state (Intact, Deleted, or Unknown] of 
deleted items in the generated report. When not selected, logs only the state of deleted 
items as Yes, and is left empty for other states. 


Number of lines for email preview - Set the maximum number of lines from each email 
message to appear in the report. 


Display full email body - Display the entire message body. 


Number of messages per chat - Set the maximum number of lines per chat message 
to appear in the report. 


Display all chat messages - Display all chat messages in the report. 


For Word reports, set the following: 


>> 


>> 


>> 


>> 


>> 


> 


>> 
>> 


>> 


Logo Header - Enter and format custom text to appear in the report header before the 
logo image. 

Logo - Click Select Image File to add the logo image to appear in the report header. 
Supported file formats are: BMP, JPG, GIF, and PNG. 

Logo Footer - Enter and format custom text to appear in the report footer after the 
logo image. 

Show totals for items not in the report - Add a Total column to the report that displays 
the total number of items that were excluded from the report. 


Show extended deleted state - Include the state (Intact, Deleted, or Unknown] of 
deleted items in the generated report. When not selected, logs only the state of deleted 
items as Yes, and is left empty for other states. 


Number of lines for email preview - Set the maximum number of lines from each email 
message to appear in the report. The report includes links to text files containing the 
entire email. 


Display full email body - Set to display the entire message body. 


Number of messages per chat - Set the maximum number of lines per chat message 
to appear in the report. 


Display all chat messages - Display all chat messages in the report. 


103 


6.6. Saving settings 


Save your settings to reuse later, or to share with another user. 


1. In the Settings window, click Save Configuration. 
2. In the Save As window, browse to the location where you want to save your settings 


configuration, and click Save. 


The settings are saved as a Cellebrite Reader Settings Configuration File [*.cnf. 


6.7. Loading settings 


Load your saved settings configuration. 


1. In the Settings window, click Load Configuration. 
2. In the Open window, browse to the location where your settings configuration is saved, 
select the configuration (*.cnf), and click Open. 


The settings are applied in the Settings window. 


6.8. Setting project settings 


Set unified time zone and case information for each project. 


6.8.1. Setting a unified time zone for the project 


During extraction, one time stamp per event is extracted. 


For outgoing events, the time stamp is typically taken from one of the following sources: 


» User-defined device time [where the device time has been manually set by the user: 
timestamps are displayed without the unified time (UTC). 

» Network-defined device time (where the device time is automatically set by the network]: 
timestamps are displayed with the unified time (UTC). 


For incoming events, the time stamp is typically taken from the network-defined time (the 
time stamp assigned by the network]; timestamps are displayed with the unified time (UTC). 


Network-defined time stamps are subject to the time zones in which the event occurred. 


Apply a unified time zone to the project to recalculate all network-defined time stamps 
according to the selected time zone in order to consolidate the events and view them 
sequentially in Cellebrite Reader. 
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To apply a unified time zone to the project: 


1. Do one of the following: 
>» In the project Extraction Summary tab, click Project settings. 
» Go to Tools > Project settings. 


iL Time zone 
@) 


Time zone settings (UTC) (Original UTC value M 


{¥] Use daylight savings Daylight Saving Time ... 


General Settings 


Case Information 


2. From the Time zone settings (UTC) list, select: 
» Original UTC value to show time stamps as recorded. 


» One of the time zones (UTC -12:00 to UTC +13:00) to recalculate network-defined time 
stamps according to the time zone offset. 


User-defined time stamps are not included in these recalculations, and 


are displayed as recorded. 


3. To enable or disable the daylight saving time, select or clear the Use daylight savings 
check box. 


4. To change the start and end dates for daylight saving time, click Daylight Saving Time. 
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| (UTC+00:00) Abidjan (Africa) 


Start 


Select a date 


Select a date 


Select a date 


Select a date 


Select a date 


Select a date 


Select a date 


Select a date 


Select a date 


Select a date 


CR} | GD} | ER) | GR) ER) | eR) | GR) | GR) | eR) | ER} | ed 


Select a date 


a. For the year that you want to change, use the calendar to select the start and end 


dates, or edit the dates directly. You can use the x button to remove certain years. 


b. Click Back to last saved data to reset the table to the last time that you saved the data, 
click Back to original data to return the table to its default settings, or click Save to 
save the table with any changes that you made. 


5. Click OK. 


The project is recalculated according to the selected unified time zone, and the new time 
zone is applied to the network-defined time stamps. Time stamps of events displayed in 
Cellebrite Reader windows and any subsequently-generated reports reflect the selected 


unified time zone. 


6.8.2. Setting the case information 

1. Case information settings are saved with the project. The case number appears with the 
extraction information on the Welcome tab. 

2. In the project Extraction Summary tab, click Project settings. 

3. Click Case Information. 


Chapter 6: 106 
Oe 


NO Of 


© Add New â Restore default settings 
g: 


m 


Name Required DefaultValue 
General Settings 
Case number Yes 


Case name 
Case Information 


Evidence number 


Notes 


Click Add New. 

In the Name column, enter the case name. 
Select Required if this field must be filled. 
In the Type list, select one of the following: 
>» String for text entry fields 

» List for a specified list of options 


. In the Default Value box, set the default content: 


» For String type, type the default string. For a multi-line string, click P enter the 
default string in the Option Editor, then click OK. 


Edit the default value text 


Cancel Save 


» For a List type, click P, enter the list items with each item ona separate line, then 
click OK. 


. To add more rows, click Add New, and repeat steps 4-7. 


10. 
11. 


To remove the entry, click (x) 
To restore the default settings, click Restore default settings. 
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7. Menus 


This sections describes the menus and commands. 


File menu (below) 


View menu (on the next page) 
Tools menu [on page 110) 
Report menu [on page 111) 
Help menu [on page 112) 


7.1. File menu 


na SEUR Open a file for analysis using the standard analysis process. 
Recent Displays a list of recent projects. 


Add external | Include related artifacts in your case such as search warrants, additional images and relevant 


file documents. See Adding external files (on page 17). 
Close tabs Close all the tab windows for a specific project. 
Close Closes the currently active project. 


Save project | Saves the active project information generated by the user as a Cellebrite Reader Session File 


session (*.pas]. See Saving a project session [on page 16). 


Load project 


i Loads a Cellebrite Reader Session File [*.pas] onto an open project in the project tree. 
session 


Exit Closes the Cellebrite Reader and all active sessions. 
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7.2. View menu 


Welcome screen | Displays the Welcome tab. See Welcome tab [on page 35). 


Trace window Show/hide the trace panel at the bottom of the data display area. 


7.2.1. Viewing the trace window 


Show the Trace window at the bottom of the data display area to view a log of the actions 
performed in your session by you or by Cellebrite Reader, such as plug-in activation. 


1. Inthe View menu, select Trace window. 


The Trace window appears below the data display area. 


Trace window 

Clear 

Program Start 11-Sep-16 09:53:31 

Thumbnail cache size has been set to 300 MB 

Loading user layout: C:\Program Files\Cellebrite Mobile Synchronization\UFED Physical Analyzer\Layouts\layoutAlizaS.config 

Loading ufdx file: C:’\Users\alizas\Desktop\Samsung GSM GT-i9205 Samsung Galaxy Mega 6.3 2015_11 23 (003)\EvidenceCollection.ufdx 


Extraction was opened by UFED Physical Analyzer version 5.4.0.39 
Running plugin Pre Project (debug=False) 

Setting extraction info... 

Adding project processor... 

Plugin Pre Project finished, runtime: 00:00:00.04 

Running plugin MBRGeneric (debug=False) 


00000000000 


Parsina MBR for memory ranae; Image 


Loading file: C:\Users\alizas\Desktop\Samsung GSM GT-i9205 Samsung Galaxy Mega 6.3 2015_11_23 (003)\Physical Boot Loader (Recommended) 01\Sams! 


2. To clear the log, in the Trace window, click Clear. 


3. To close the Trace window, click X. 
The Trace window can be hidden or displayed. 


» To pin the Trace window open, click W. 
» To unpin the Trace window, click 3. 


>» To view the Trace window when hidden, select or mouse over the tab. 
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7.3. Tools menu 


Enrichment Opens the Enrichment database sub-menu, from where you can install the database, import and 
of BSSID and | export XML files with BSSID and cell tower data, as well as online enrichment. See Enrichment 
cell IDs of BSSID and cell IDs (on page 63). 


Manage tags | Opens the Manage tags window. See Tags [on page 68). 


ied aaa Create alphanumeric files with all the words in a decoded project. See Generating dictionary files 
ictionary 
files (on page 65). 
Settings Opens the application settings window. See Settings. 
Project Set unified time zone and case information for each project. See Setting project settings [on 
settings page 104). 
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7.4. Report menu 


Generates a report summary of all information found by the analysis process. See Generating 


Goer Report a report (on page 79). 


Generate f B ; ; aoe : 
Generates an ‘at a glance’ intelligence report that includes parsed device information and 


preliminary . . ee 
user account information. See Generating a Preliminary device report (on page 89). 


device report 
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7.5. Help menu 


Lists the supported applications and verified versions for Android, BlackBerry, iOS, and 


Supported apps Windows Phone devices. 


Manual Opens the user manual. 


Check for new 
version 


Check for new software version if connected to the Internet. 


Zip log files Zips the log files and opens the folder where the zipped log files are saved. 


Zip ogies with Zips the log files and includes detailed information about the operating system, drivers, 


system hee oe i 
Sy application data, event logs etc. This information can be used to analyze report cases. 
information 
License : 
Opens the software license agreement. 
agreement 
About Provides information about the installed Cellebrite Reader version. 
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8. Glossary 


C 

CAS 
Cellebrite Advanced Services (CAS) offers customers the ability to recover valuable 
evidence from heavily damaged, locked or encrypted devices. 

Cellebrite UFED 4PC 
Enables users to deploy extraction capabilities on Windows based tablets, laptops, 
and desktop computer systems. It performs physical, logical, file system and 
password extractions on a wide range of devices. 

Cellebrite UFED Touch 
Enables the simplified extraction of mobile device data. Depending on the license 
purchased, it performs physical, logical, file system and password extractions ona 
wide range of devices. 

P 


Physical/Logical Analyzer 


An analysis and reporting tool for logical, file system and physical extractions. This 
software solution provides users with the capability to extract data, perform 
advanced analysis, decoding and reporting and presenting the results in a clear and 


concise manner. 


U 


UFED 


Universal Forensic Extraction Device 
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